DAOfiV1Pair.deposit() is used to deposit liquidity into the pool.
Only a single deposit can be made, so no liquidity can ever be added to a pool where deposited == true.
The deposit() function does not check for a nonzero deposit amount in either token, so a malicious user that does not hold any of the baseToken or quoteToken can lock the pool by calling deposit() without first transferring any funds to the pool.
Require a minimum deposit amount with non-zero checks
- ConsenSys Audit DAOfi Finding 4.5
- Denial-of-Service
- Medium Severity
- Zero Liquidity Deposit
- Single Deposit
- Check Non-Zero Deposit Amount
- Youtube Reference
- Medium severity finding from Consensys Diligence Audit of DAOfi