The above calculation formula is incorrect.
For example:
a user stakes 100 ETH into the pool, and balance.holdAmount is 0 (there are no positions at this time).
The user wants to withdraw all their stake, but according to the above formula, with a limit of 0.8,
availableTokenAmount = 100 eth * 0.8 = 80 ETh.
the user is allowed to withdraw only 80 ETH, However, the user should be able to withdraw 100 ETH..
The correct calculation formula should be the same as in getMaxWithdraw().
When liquidity is insufficient, users cannot withdraw all their funds at once, but they can withdraw in batches. When new liquidity is injected, users will be able to withdraw all of their tokens at once.
ZeroTrust
Medium
Liquidity providers are unreasonably restricted by pool.getPoolAvailableLiquidity() when redeeming Stake Tokens
Summary
Liquidity providers are unreasonably restricted by pool.getPoolAvailableLiquidity() when redeeming Stake Tokens
Vulnerability Detail
The above calculation formula is incorrect. For example: a user stakes 100 ETH into the pool, and balance.holdAmount is 0 (there are no positions at this time). The user wants to withdraw all their stake, but according to the above formula, with a limit of 0.8, availableTokenAmount = 100 eth * 0.8 = 80 ETh. the user is allowed to withdraw only 80 ETH, However, the user should be able to withdraw 100 ETH..
The correct calculation formula should be the same as in
getMaxWithdraw()
.Impact
The incorrect calculation affects users’ ability to redeem Stake Tokens.
Code Snippet
https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/process/RedeemProcess.sol#L133
https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/process/LpPoolQueryProcess.sol#L151
Tool used
Manual Review
Recommendation
Modify the calculation formula.