Skip to content
This repository was archived by the owner on Aug 3, 2025. It is now read-only.
This repository was archived by the owner on Aug 3, 2025. It is now read-only.

Rhythmic Powder Swan - Lack of Validation for 1:1 invariant in createPool Function #1052

Open
Open
Rhythmic Powder Swan - Lack of Validation for 1:1 invariant in createPool Function#1052
@sherlock-admin4

Description

@sherlock-admin4
sherlock-admin4
opened on Jan 23, 2025

Rhythmic Powder Swan

Medium

Lack of Validation for 1:1 invariant in createPool Function

Summary

The PoolFactory contract's createPool function lacks validation to ensure that the reserveAmount is greater than or equal to the sum of bondAmount and leverageAmount. This can lead to inconsistent pool states, where the reserve tokens in the pool are insufficient to back the issued bond and leverage tokens, potentially causing financial instability and loss of funds.

The createPool function creates a new pool and mints bond and leverage tokens based on the provided reserveAmount, bondAmount, and leverageAmount. However, it does not validate whether the reserveAmount is sufficient to back the issued tokens. Specifically, it does not enforce the invariant:
reserveAmount >= bondAmount + leverageAmount as the exchange rate for bond and leverage share with starting amount should be 1:1.

This can lead to a situation where the pool is under-collateralized, meaning the reserve tokens in the pool are insufficient to cover the value of the issued bond and leverage tokens.

https://github.com/sherlock-audit/2024-12-plaza-finance/blob/main/plaza-evm/src/PoolFactory.sol#L124-L239

Root Cause

The root cause is the lack of validation in the createPool function to ensure that the reserveAmount is sufficient to back the issued bond and leverage tokens. This oversight allows the creation of under-collateralized pools, which can lead to financial instability.

Internal Pre-conditions

  • The createPool function is called with reserveAmount, bondAmount, and leverageAmount as part of the parameters.
  • The reserveAmount is less than the sum of bondAmount and leverageAmount.

External Pre-conditions

  • A user or contract with the POOL_ROLE calls the createPool function.
  • The caller provides insufficient reserveAmount to back the issued bond and leverage tokens.

Attack Path

  • An admin with the POOL_ROLE calls the createPool function with a reserveAmount that is less than the sum of bondAmount and leverageAmount.
  • The pool is created and the bond and leverage tokens are minted, but the pool is under-collateralized.
  • Users who interact with the pool may suffer losses due to the insufficient reserve tokens.

Impact

Users who redeem bond or leverage tokens may receive fewer reserve tokens than expected

PoC

Consider the following scenario:

  • An admin calls the createPool function with the following parameters:

reserveAmount = 100

bondAmount = 60

leverageAmount = 50

  • The createPool function does not validate whether reserveAmount >= bondAmount + leverageAmount.

  • The pool is created with reserveAmount = 100, but the total value of the issued tokens is 110 (60 + 50).

  • The pool is under-collateralized, and users who redeem these tokens may suffer losses.

Mitigation

add a validation check in the createPool function to ensure that the reserveAmount is sufficient to back the issued bond and leverage tokens

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions