Withdraw Instruction can withdraw total amount in pool(Including unclaimed_fees)
Summary
The admin gated withdraw instruction could withdraw the entire pool balance without leaving any amount left in the pool to collect the fees to be callled by the claim_fee instruction.
Root Cause
In deposit_withdraw.rs, the variable has an underscore hence the rust compiler ignores the variable been unused.
Internal pre-conditions
Admin calls withdraw instruction where amount + woopool.unclaimed_fees > woopool.amount.
Admin calls claim_fee instruction but cannot withdraw any fees because the pool is currently empty
Impact
These prevents the protocol from been able to appropriately withdraw it's unclaimed fees in some scenarios.
Passive Indigo Dolphin
High
Withdraw Instruction can withdraw total amount in pool(Including unclaimed_fees)
Summary
The admin gated
withdrawinstruction could withdraw the entire pool balance without leaving any amount left in the pool to collect the fees to be callled by theclaim_feeinstruction.Root Cause
In
deposit_withdraw.rs, the variable has an underscore hence the rust compiler ignores the variable been unused.Internal pre-conditions
Admin calls
withdrawinstruction whereamount + woopool.unclaimed_fees > woopool.amount.Admin calls
claim_feeinstruction but cannot withdraw any fees because the pool is currently emptyImpact
These prevents the protocol from been able to appropriately withdraw it's unclaimed fees in some scenarios.
Mitigation
Add this below
to the
deposit_withdraw.rsand comment out or delete this line