Deposit Limit Logic Allows Exceeding Cap by One Entry in addLiquidityProportional::UpLiftOnlyExample.sol
Summary
The addLiquidityProportional function in the protocol is intended to restrict the number of deposits per user per pool to a maximum of 100. However, the current implementation contains a logic flaw that allows a user to exceed this limit by one. Specifically, the condition:
Vulnerability Details
ensures that a deposit attempt will fail only if the current length of poolsFeeData[pool][msg.sender] is greater than 100.
Why it allows deposit up to 101:
-
Condition Logic: The check is
if (poolsFeeData[pool][msg.sender].length > 100).If the length is exactly 100, this condition evaluates to
false, and the function proceeds to allow the deposit.The deposit is then appended to the array, making its length 101 after the transaction.
-
Revert Mechanism: The revert only triggers if the length exceeds 100 before the deposit is attempted, meaning it permits deposits when the length is exactly 100.
Impact
Users can exceed the deposit limit, violating the protocol's intended design.
Severity: low to medium
Tools Used
Manual review
Recommendations
This change ensures that no deposit is allowed when the user already has 100 deposits.
Lead Judging Commences
invalid_Uplift_101_deposit_strict_equal
Only 1 more NFT won’t have any impact. Informational.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.