Root + Impact

https://github.com/CodeHawks-Contests/2025-05-ssswap/blob/27a2ef878023b0111ec4acc33503d99ae1ae36fa/programs/amm/src/instructions/liquidity_operations.rs#L251-L269

Description

In the provide_liquidity function, the protocol transfers Token A and Token B to the vaults via CPI, then immediately calculates the number of LP tokens to mint using liquidity_calculation. However, it fails to call .reload() on the vault accounts after the transfers. As Anchor's AccountInfo caches on-chain state, the calculation uses outdated balances (pre-transfer), which can result in incorrect LP minting.

Risk

Likelihood:

• This occurs every time the provide_liquidity function is invoked without reloading the vault accounts.

• Anchor caches account data unless .reload() is explicitly called.

• An attacker can automate this to repeatedly exploit incorrect LP minting logic.

Impact:

• LP token recipients will receive more tokens than they should.

• When these LP tokens are later redeemed, the pool may be drained of assets.

• Honest liquidity providers suffer from dilution, harming protocol trust and solvency.

Proof of Concept

• Initial pool: 1000 Token A and 1000 Token B.

• Attacker adds 100 A + 100 B via provide_liquidity.

• Tokens are transferred, vaults are updated on-chain but not in memory.

• No .reload(), vaults still show 1000 A + 1000 B.

• LP calculation assumes lower total liquidity → mints more LP tokens.

• Attacker redeems later for more than fair share, extracting excess value.

  
  

Recommended Mitigation

Reload account state after transfers but before any calculations relying on vault data: