search

sherlock-audit / 2023-07-kyber-swap-judging

12 stars 8 forks source link

jovi - Liquidity Locking Vulnerability Due to Hardcoded MIN_LIQUIDITY Value in unlockPool Function #96

Closed sherlock-admin2 closed 1 year ago

sherlock-admin2 commented 1 year ago

jovi

high

Liquidity Locking Vulnerability Due to Hardcoded MIN_LIQUIDITY Value in unlockPool Function

Summary

The unlockPool function, responsible for initializing and unlocking pools, contains a hardcoded MIN_LIQUIDITY value set to 100. This represents the total amount of LP tokens minted upon the function's call based on the initially provided quantities of tokens A and B. However, combined with the flooring operation in the calcrMintQty function, users depositing liquidity close to the initialization amounts can receive 0 LP tokens, effectively locking their funds within the pool.

Vulnerability Detail

The unlockPool function is designed to initialize and unlock liquidity pools, minting an initial batch of LP tokens equivalent to the hardcoded MIN_LIQUIDITY value. However, when users add liquidity amounts close to the initialization values, the calcrMintQty function's flooring mechanism can result in the minting of 0 LP tokens for the user. For example, in a pool initialized with 10k USDT and 10k USDC, a user attempting to deposit 99 USDT and 99 USDC would receive no LP tokens. As a consequence, their tokens become trapped within the pool without the corresponding LP tokens required for withdrawal.

Impact

Users risk locking their funds in the pool when depositing amounts near the initialization values, leading to potential financial loss. As they receive no LP tokens, they lose the ability to withdraw or interact with their deposited funds, which can deter participation in the protocol and erode trust in the platform.

Code Snippet

https://github.com/sherlock-audit/2023-07-kyber-swap/blob/main/ks-elastic-sc/contracts/libraries/MathConstants.sol#L8

https://github.com/sherlock-audit/2023-07-kyber-swap/blob/main/ks-elastic-sc/contracts/Pool.sol#L56-L73

Tool used

Manual Review

Recommendation

Reevaluate the hardcoded MIN_LIQUIDITY value in the unlockPool function. Increasing this constant can help alleviate the risks associated with rounding errors, ensuring users always receive an appropriate amount of LP tokens for their deposits. A less riskier value would be 1e8 or even 1e10.

sherlock-admin commented 1 year ago

1 comment(s) were left on this issue during the judging contest.

Trumpero commented:

invalid, reinvestment token is used to collect fees of Pool, it is not considered LP tokens. Depositing to pool doesn't mint rTokens, but swaps do. rTotalSupply starts with MIN_LIQUIDITY and increases after multiple swaps.