No Expiry Check in Liquidity Functions
Summary
The add liquidity and removeLiquidity functions as well as the _redeemPositionToken function do not check whether the pool has expired before performing liquidity operations. This oversight allows users to potentially interact with expired pools, which may lead to unintended behavior or loss of funds.
Vulnerability Details
Create a pool with an expiration time set in the future
This line of code above defines the expiration of pool
Wait until the pool's expiration time has passed.
Call the add liquidity or remove liquidity function on the expired pool.
Impact
Users could unknowingly add or remove liquidity from a pool that has already passed its expiration date, which may result in
Invalid or incorrect pool interactions
Loss of funds or failure of liquidity operations
Deviation from expected behavior of the protocol, where expired pools should no longer accept liquidity actions.
Tools Used
Manual Review
Recommendations
Add a check in both functions to verify that the pool's expiration time (expiryTime) is not passed before allowing any liquidity operations. If the pool is expired, revert the transaction with an appropriate error message.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.