vinica_boy - Providing liquidity to the AMM does not check the return value of actually provided tokens leading to locked funds. #240
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
Medium
A Medium severity issue.
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
vinica_boy
Medium
Providing liquidity to the AMM does not check the return value of actually provided tokens leading to locked funds.
Summary
When providing liquidity to an AMM pair, the protocol specifies both the desired amount of tokens to be provided and a minimum amount to be accepted. Any difference between the two—meaning the amount not used by the AMM—should be properly accounted for within the protocol, as it is not taken by the AMM.
Vulnerability Detail
The
__addLiquidityToAmmUnchecked
function is used to provide liquidity to the RA:CT AMM pair. In the current implementation,raTolerance
andctTolerance
are calculated based on the reserves of the pair during the current transaction with 1% slippage tolerance. The amounts to be provided are determined by the current price ratio in the pair, which ensures that the amounts are almost always exactly what the AMM expects to maintain theX * Y = K
constant product formula.The current implementation does not check the actual amounts used by the AMM when providing liquidity. As a result, small differences (1-2 wei of the corresponding token) between the provided amount and the actual amount used by the AMM may remain locked in the contract. These differences arise from rounding in the RA:CT
price ratio calculations and the corresponding amounts that should be provided. Over time, these small discrepancies could accumulate, leading to higher amount of locked tokens in the contract.
PoC:
Adjust the
__addLiquidityToAmmUnchecked()
function to:Running the tests with the following function would result in some tests failing due to this difference in provided and used amounts.
Impact
The impact of these small amounts of locked funds is not significant on their own, but due to the compound effect over time and the high likelihood of this happening with each liquidity provision, the overall severity of the issue should be considered Medium.
Code Snippet
VaultLib.__addLiquidityToAmmUnchecked()
:https://github.com/sherlock-audit/2024-08-cork-protocol/blob/db23bf67e45781b00ee6de5f6f23e621af16bd7e/Depeg-swap/contracts/libraries/VaultLib.sol#L55
Tool used
Manual Review
Recommendation
To handle the small differences between the provided and actual amounts used by the AMM, the return values of the
addLiquidity()
function should be checked, as shown in the adjusted__addLiquidityToAmmUnchecked()
function. This allows the protocol to detect any discrepancies and take appropriate action.Depending on the protocol's decision, these leftover funds can either be:
The text was updated successfully, but these errors were encountered: