QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

USDC blacklist can lead to locked liquidity

rzizah

Summary

In removeLiquidityProportional when users want to remove liquidity, the contract needs to transfer the reward from the vault to the user

removeLiquidityHook

File: MinimalRouter.sol
239: // There can be only one WETH token in the pool.
240: if (params.wethIsEth && address(token) == address(_weth)) {
241: // Send WETH here and unwrap to native ETH.
242: _vault.sendTo(_weth, address(this), amountOut);
243: _weth.withdraw(amountOut);
244: // Send ETH to receiver.
245: payable(params.receiver).sendValue(amountOut);
246: } else {
247: // Transfer the token to the receiver (amountOut).
248: _vault.sendTo(token, params.receiver, amountOut);
249: }
250: }
251: }

While the token needs to be sent ex: USDC If the vault is blacklisted by the token, the sendTo the function call will revert, causing the removeLiquidityHook to fail.

This will prevent users from removing their liquidity from the pool

Impact

The impact is rated as LOW because users' funds would become locked in the protocol. However, this scenario requires specific conditions that are unlikely to occur:

  • The token must implement a blacklist

  • user tries to remove liquidity

  • vault is blacklisted

Tools Used

Manual review

Recommendations

Consider implementing a fallback mechanism when reward transfers fail using a try-catch block. Though the likelihood of this attack occurring is extremely low this code block should be wrapped in a try/catch, as removing liquidity should never revert under any circumstances as this would cause user who added liquidity to lose their LPs thus losing funds.

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!