Vulnerability Details

The calcLpTokenSupply function in the ConstantProduct2 contract is responsible for calculating the supply of LP tokens based on the reserves of two tokens in a liquidity pool. The function does not include a check to ensure that the reserves provided as input are non-zero. This omission can lead to a zero LP token supply calculation if one or both reserves are zero, which may not be a valid state for the liquidity pool.

Impact

The calcLpTokenSupply function does not perform a check to ensure that neither of the reserves is zero before calculating the LP token supply. In the context of a constant product market maker, a reserve of zero could represent an uninitialized or drained pool. If the function is called with a zero reserve, the result would be a zero LP token supply, which may not be an accurate reflection of the pool's state. Moreover, other functions that depend on the LP token supply may not handle a zero value gracefully, potentially leading to division by zero errors or other unexpected behavior.

Tools Used

manual review

Recommendations

To address the potential issue of zero reserves in the calcLpTokenSupply function, it would be advisable to add a check to ensure that neither of the reserves is zero before performing the calculation. This can be done using the require function to revert the transaction with a custom error message if either reserve is zero. Here's how you could modify the function to include this check: