MIN_LIQUIDITY can lower than intended

Summary

The MIN_LIQUIDITY variable at here can be lower than whats written.

Vulnerability Detail

The MIN_LIQUIDITY is a constant variable that is meant to be constant and not change, the comment there says that:

uint256 public constant MIN_LIQUIDITY = 10_000; // minimum totalSupply that is allowable

which means that the totalSupply should not be lower than that amount.

The MIN_LIQUIDITY was checked in the executeDeposit function to ensure that the minted amount is not lower than the MIN_LIQUIDITY :

 if (totalSupply() < MIN_LIQUIDITY) {
            revert FlatcoinErrors.AmountTooSmall({amount: totalSupply(), minAmount: MIN_LIQUIDITY});
        }

The issue here is that the same check is not in place during withdrawal and the withdraw amount was directly pass in to the _burn function allowing the totalSupply to be lower than the MIN_LIQUIDITY

Impact

The impact here is that the totalSupply can be lower than the said MIN_LIQUIDITY that should be always be the minimum allowed as the comment says

  // minimum totalSupply that is allowable

Code Snippet

https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/StableModule.sol#L30

Tool used

Manual Review

Recommendation

The sponsor confirm to me that that :

// I believe it's an old artifact no longer required. It was put in to avoid rounding errors and inflation attack but it's not really relevant anymore.

it should be removed then and also the same check in the executeDeposit should also be removed.

sherlock-admin commented 8 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

nevillehuang commented 8 months ago

Invalid, seemingly duplicate pf #190, but fails to identify the root cause and impact of a bypass of minimum checks for a standard first depositor inflation bug

sherlock-audit / 2023-12-flatmoney-judging

takarez - MIN_LIQUIDITY can lower than intended #173