0x73696d616f - VaultPoolLib::reserve()
will store the Pa
not attributed to user withdrawals incorrectly and leave in untracked once it expires again
#191
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A High severity issue.
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Won't Fix
The sponsor confirmed this issue will not be fixed
0x73696d616f
High
VaultPoolLib::reserve()
will store thePa
not attributed to user withdrawals incorrectly and leave in untracked once it expires againSummary
VaultPoolLib::reserve() stores the
Pa
attributed to withdrawals in self.withdrawalPool.stagnatedPaBalance instead of storing the amountattributedToAmm
. Additionally, this amount ofPa
, the one attributed to theAmm
is never dealt with and leads to stuckPA
.The comment in the code mentions
But it is incorrect as it is never rationed again, just forgotten. The VaultPoolLib::rationedToAmm() function only uses the
Ra
balance, not thePa
, which is effectively left untracked.Root Cause
In
VaultPoolLib:170
, the leftover non attributedPa
is not dealt with.Internal pre-conditions
None.
External pre-conditions
None.
Attack Path
VaultPoolLib::reserve()
is called when liquidating the lp position of theVault
viaVaultLib::_liquidatedLP()
, triggered by users when redeeming expired liquidity vault shares or on the admin trigerring a new issuance.Impact
The
Pa
in theVault
is stuck.PoC
VaultPoolLib::rationedToAmm()
does not deal with thePa
.Mitigation
Distributed the
Pa
to users based on theirLV
shares or redeem thePa
forRa
and add liquidity to the new issuedDs
or similar.The text was updated successfully, but these errors were encountered: