Possible loss of funds when adding liquidity #30
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-376
satisfactory
satisfies C4 submission criteria; eligible for awards
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/code-423n4/2022-12-caviar/blob/0212f9dc3b6a418803dbfacda0e340e059b8aae2/src/Pair.sol#L423
Vulnerability details
Possible loss of funds when adding liquidity
Summary
The
Pair
contract does not return excess funds to the user when adding liquidity throughadd()
ornftAdd()
which can result in loss of funds through external bugs.Detailed description
Pair.add()
calls intoPair.addQuote
to calculate how much LP tokens to mint given the input of base tokens and fractional tokens (fTokens). The share of both inputs is calculated and the lower share is used to calculate the LP token amount throughMath.min(baseTokenShare, fractionalTokenShare)
.Through an external bug, such as an UI bug or an error in the integration of Caviar in a third-party service, users could overpay by an infinite amount by supplying more of one of the two assets than would be neccessary. These excess funds would get split evenly across all LP token holders instead of being returned to the user.
Affected functions:
add()
nftAdd()
since it calls intoadd()
Recommended mitigation
Calculate excess funds when adding liquidity and return them to the user.
PoC
Paste the following unit test into the
test/Pair/unit
directory and run it withforge test -vv -m testOverpay
. The-vv
flag is important in order to see theconsole.log
output.The PoC demonstrates a user overpaying and losing 4499 ETH.
The text was updated successfully, but these errors were encountered: