The state variable in UpliftOnlyExample::nftPool is updated upon calling function UpliftOnlyExample::addLiquidityProportional() but is not reset upon removal of liquidity and burning of the NFT.
Summary
When the function UpliftOnlyExample:addLiquidityProportional() is called, an NFT in minted to the sender and then the pool associated with the newly minted NFT is set to the appropriate pool address. Upon removal of liquidity and burning of the NFT, the state variable that stores the associated pool for the burnt NFT is not reset, this leaves the smart contract in an inconsistent state where an NFT no longer exist but it ID is still stored with an associated pool.
Vulnerability Details
This vulnerability occurs on this line where an NFT id is assigned it associated pool but not subsequently reset to an empty address upon burning of the NFT.
Impact
This leads to inconsistent state of the smart contract storage because in reality the an NFT is no longer in existence but smart contract still keeps a refrence of it associated pool stored in it state.
Tools Used
Manual Review
Recommendations
Once liquidity is removed and the NFT is burned, the corresponding pool for an NFT should be reset after burning of the NFT. Here's a code snippet of how to fix that.
nftPool[tokenID] = address(0);
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.