Submission Details
Severity:
Mapping Inconsistencies in `nftPool` During Liquidity Removal
Summary
While user adds liquidity and mints nft it sets the corresponding pool address nftPool[tokenID] = pool; but when user burns this token it does not remove this mapping and can cause inconsistencies.
Vulnerability Details
Impact
Inconsistencies in storage.
Tools Used
Manual Review
Recommendations
function removeLiquidityProportional(
uint256 bptAmountIn,
uint256[] memory minAmountsOut,
bool wethIsEth,
address pool
) external payable saveSender(msg.sender) returns (uint256[] memory amountsOut) {
uint depositLength = poolsFeeData[pool][msg.sender].length;
if (depositLength == 0) {
revert WithdrawalByNonOwner(msg.sender, pool, bptAmountIn);
}
// Do removeLiquidity operation - tokens sent to msg.sender. //@ - where it is sending tokens to the msg.sender?
amountsOut = _removeLiquidityProportional(
pool,
address(this),
msg.sender,
bptAmountIn,
minAmountsOut,
wethIsEth,
abi.encodePacked(msg.sender)
);
++ nftPool[tokenId] = address(0);
}
Updates
Lead Judging Commences
n0kto 11 months ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Total prize
49,600 OP
nSLOC
3,00017
OP / LOC
44,640
4,960
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.