Improper/ unsupposed Withdrawal of Owed token when user calls ''' function withdraw ( uint lpAmount, .....)''' with lpAmount parameter as 0

Screenshot 2023-06-25 142528

Summary

A user can malicio

Vulnerability Detail

A Wagmi end user who has no intention of withdrawing LP can call ''' function withdraw ( uint lpAmount, .....) ''' with null lpAmount. The caller gets no tokens but forces the multipool contract to unnecessarily collect Owed fees from all positions. This is executed when contract calls '' IUniswapV3Pool(position.poolAddress).collect( ''''

This is the path ''' function withdraw() external ''' => ''' function _withdraw() private '''. Then the private _withdraw functions makes call to Uniswap and also '''_upFeesGrowth(fee0, fee1, _totalSupply); '' which are both Unnecesary because uniswap actually executes the call and payment made to owner via _upFeesGrowth().

Impact

Unnecessary collection Owed Tokens by contract.

Code Snippet

https://github.com/sherlock-audit/2023-06-real-wagmi/blob/main/concentrator/contracts/Multipool.sol#L530

https://github.com/sherlock-audit/2023-06-real-wagmi/blob/main/concentrator/contracts/Multipool.sol#L557

Tool used

Manual Review

Recommendation

May require lpAmount >0

sherlock-audit / 2023-06-real-wagmi-judging

0xKodak - Improper/ unsupposed Withdrawal of Owed token when user calls ''' function withdraw ( uint lpAmount, .....)''' with lpAmount parameter as 0 #179