the lp shares in the pool are not burned when removeliquiditypropotional is called
Summary
Vulnerability Details
the removeliquiditypropotional function is used to remove liquidity from a pool, but there is an issue where by the is missing an important logic, when the lp add liquidity, tokens are being minted to them as shares in the pool, but the shares are not burned when the lp remove their liquidity which can pose a great risk to the pool
the onafterremoveliquidity function handles the burning of the lp share token in the pool and also calculate the fees accured for the lp, the onafterremoveliquidity function is supposed to be called by the removeliquidityproportional when a liquidity provider wants to remove their liquidity so that the function can burn their share in the pool and calculate the fees.
here is the link to the onafterremoveliquidity function
Impact
the lp can continue to withdraw from the pool until the pool get drained, because the lp shares are not burned when the remove their liquidity
Tools Used
manual
recommendation
ensure lp shares are burned when the are removing their liquidity by calling the onafterremoveliquidity function in the removeliquiditypropotional function
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.