Changing the liquidity pool address leads to stuck funds
Summary
If this function is called more than one time without transferring funds from the old liquidity pool to the new one, any RAAC tokens held in the previous liquidity pool will become inaccessible. This leads to a permanent loss of funds.
Vulnerability Details
There is a scenario where
setLiquidityPoolis called by mistake or the pool address needs to be changed for security reasons and theownercalls thesetLiquidityPoolfunction to do so, but this results in the loss of all tokens.
Issue: Funds in the Old Liquidity Pool Are Not Transferred
-
The function
setLiquidityPoolallows the contract owner to change the liquidity pool address without ensuring that any existing RAAC token balance in the old liquidity pool (if there is one) is transferred to the new one. -
As a result, those tokens become unrecoverable, leading to financial loss.
Affected Code:
Impact
Irrecoverable Tokens: Since there is no built-in mechanism to reclaim tokens from the old liquidity pool (if there is one), funds could be lost indefinitely.
Tools Used
Manual Code Review
Recommendations
Implement a Safe Transfer Mechanism
Before updating liquidityPool, ensure that the old pool’s RAAC balance is transferred to the new pool:
This ensures that any existing RAAC tokens in the old liquidity pool (if there is one) are transferred to the new pool before updating the address.
Another way of dealing with this problem is to add a simple check to see if the liquidityPool is already set, and if it is just throw an custom Error.
Conclusion
The current implementation of setLiquidityPool introduces a risk of fund loss if called more than once.
Severity
The likelihood might be low but the impact is critical.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.