Platform: Code4rena
Start Date: 09/12/2021
Pot Size: $50,000 USDC
Total HM: 19
Participants: 21
Period: 7 days
Judge: 0xean
Total Solo HM: 14
Id: 61
League: ETH
Rank: 6/21
Findings: 2
Award: $2,816.75
🌟 Selected for report: 1
🚀 Solo Findings: 1
🌟 Selected for report: certora
2816.7538 USDC - $2,816.75
certora
https://github.com/code-423n4/2021-12-sublime/blob/main/contracts/Pool/Pool.sol#L645 if the borrow token is address(0) (ether), and someone calls withdrawLiquidity, it calls SavingsAccountUtil.transferTokens which will transfer to msg.sender, msg.value (of withdrawLiquidity, because it's an internal function). In other words, the liquidity provided will pay to themselves and their liquidity tokens will still be burned. therefore they will never be able to get their funds back.
the bug is in https://github.com/code-423n4/2021-12-sublime/blob/main/contracts/SavingsAccount/SavingsAccountUtil.sol It is wrong to use msg.value in transferTokens because it'll be the msg.value of the calling function. therefore every transfer of ether using this function is wrong and dangerous, the solution is to remove all msg.value from this function and just transfer _amount regularly.