grandizzy
commented
1 year ago removing will fix label, will address after Sherlock contest
Open github-actions[bot] opened 1 year ago
grandizzy
commented
1 year ago removing will fix label, will address after Sherlock contest
Jeiwan
medium
Anyone can transfer approved LP tokens
Summary
Anyone can call the
Pool.transferLPsfunction and transfer previously approved LP tokens to the approved address.Vulnerability Detail
The Pool.transferLPs function allows to transfer LP tokens from one address to another. Even though it requires approving a transfer, actual transferring is left at the discretion of the approved address: approving allows the approved address to transfer LP tokens when appropriate. However, since the
Pool.transferLPsfunction can be called by any address, the owner of the tokens may be impacted.Impact
Lender's LP tokens may be transferred to an approve address at an inappropriate time, impacting the position management strategy of the lender.
Code Snippet
Pool.sol#L238
Tool used
Manual Review
Recommendation
Consider allowing calling the
Pool.transferLPsfunction only to theownerornewOwner_.