The removeLiquidity and removeLiquidityPermit2 function in the smart contract is responsible for removing liquidity from a vault and burning LP tokens. There is a potential security issue where the function does not check if the caller (msg.sender) is the same as the receiver (params_.receiver). This oversight could allow unauthorized parties to remove someone else's liquidity.
Vulnerability Detail
The function currently does not validate that the caller (msg.sender) is the same as the params_.receiver. This lack of validation means that any user could potentially call this function and specify another user's address as the receiver, leading to unauthorized liquidity removal.
Impact
Without verifying that the caller is the intended receiver, an attacker could remove another user's liquidity, leading to potential loss of assets for the affected user.
Implement a check to ensure that the caller (msg.sender) is the same as the params_.receiver. This can be done by adding a simple conditional check before proceeding with the liquidity removal.
cu5t0mPeo
commented
3 months ago
0xrobsol
medium
Caller Verification in removeLiquidity Function
Summary
The removeLiquidity and removeLiquidityPermit2 function in the smart contract is responsible for removing liquidity from a vault and burning LP tokens. There is a potential security issue where the function does not check if the caller (msg.sender) is the same as the receiver (params_.receiver). This oversight could allow unauthorized parties to remove someone else's liquidity.
Vulnerability Detail
The function currently does not validate that the caller (msg.sender) is the same as the params_.receiver. This lack of validation means that any user could potentially call this function and specify another user's address as the receiver, leading to unauthorized liquidity removal.
Impact
Without verifying that the caller is the intended receiver, an attacker could remove another user's liquidity, leading to potential loss of assets for the affected user.
Code Snippet
https://github.com/sherlock-audit/2024-03-arrakis/blob/main/arrakis-modular/src/ArrakisPublicVaultRouter.sol#L263-L282
https://github.com/sherlock-audit/2024-03-arrakis/blob/main/arrakis-modular/src/ArrakisPublicVaultRouter.sol#L391-L421
Tool used
Manual Review
Recommendation
Implement a check to ensure that the caller (msg.sender) is the same as the params_.receiver. This can be done by adding a simple conditional check before proceeding with the liquidity removal.