Platform: Code4rena
Start Date: 21/12/2023
Pot Size: $90,500 USDC
Total HM: 10
Participants: 39
Period: 18 days
Judge: LSDan
Total Solo HM: 5
Id: 315
League: ETH
Rank: 19/39
Findings: 1
Award: $358.73
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: erebus
Also found by: adeolu, oakcobalt, thank_you, windowhan001
358.7303 USDC - $358.73
Users can suffer losses due to MEV when withdrawing liquidity.
On Solana, a validator chosen by the Leader Rotation Mechanism can arbitrarily order transactions. This mechanism can lead to significant user losses if the minimum output for each token is not checked when burning LP Tokens and withdrawing liquidity.
function withdraw(uint64 amount) external { ... whirlpool.decreaseLiquidity{accounts: metasDecreaseLiquidity, seeds: [[pdaProgramSeed, pdaBump]]}(amount, 0, 0); ... }
Manual Audit
Referring to the Orca whirlpool code (https://github.com/orca-so/whirlpools/blob/fc7dac3037c208fd1806ec80b8a43fbcc6648bdc/programs/whirlpool/src/lib.rs#L251-L256), it is advisable to set the second and third arguments of decrease_liquidity to something other than zero. These should be parameters additionally received through the withdraw function.
MEV
#0 - c4-pre-sort
2024-01-10T15:19:16Z
alex-ppg marked the issue as duplicate of #339
#1 - c4-pre-sort
2024-01-10T15:19:19Z
alex-ppg marked the issue as sufficient quality report
#2 - c4-judge
2024-01-19T20:44:05Z
dmvt changed the severity to 2 (Med Risk)
#3 - c4-judge
2024-01-19T20:47:08Z
dmvt marked the issue as satisfactory