From ca44eef8211bb932ff78de9749d8a6ce5aab9807 Mon Sep 17 00:00:00 2001 From: 0xFable <0xfable@protonmail.com> Date: Wed, 10 Apr 2024 03:08:40 +0100 Subject: [PATCH] fix: [pool-manager] Verify the LP tokens are sent on WithdrawLiquidity #313 --- .../liquidity_hub/pool-manager/src/contract.rs | 9 +-------- .../pool-manager/src/liquidity/commands.rs | 15 +++++++++------ 2 files changed, 10 insertions(+), 14 deletions(-) diff --git a/contracts/liquidity_hub/pool-manager/src/contract.rs b/contracts/liquidity_hub/pool-manager/src/contract.rs index a3798011..bf096dd2 100644 --- a/contracts/liquidity_hub/pool-manager/src/contract.rs +++ b/contracts/liquidity_hub/pool-manager/src/contract.rs @@ -104,14 +104,7 @@ pub fn execute( ) } ExecuteMsg::WithdrawLiquidity { pair_identifier } => { - liquidity::commands::withdraw_liquidity( - deps, - env, - // TODO: why not sending info instead? there's no check that funds are sent - info.sender, - info.funds[0].amount, - pair_identifier, - ) + liquidity::commands::withdraw_liquidity(deps, env, info, pair_identifier) } ExecuteMsg::AddNativeTokenDecimals { denom, decimals } => { manager::commands::add_native_token_decimals(deps, env, denom, decimals) diff --git a/contracts/liquidity_hub/pool-manager/src/liquidity/commands.rs b/contracts/liquidity_hub/pool-manager/src/liquidity/commands.rs index 1c73e98e..b078b29e 100644 --- a/contracts/liquidity_hub/pool-manager/src/liquidity/commands.rs +++ b/contracts/liquidity_hub/pool-manager/src/liquidity/commands.rs @@ -1,4 +1,4 @@ -use cosmwasm_std::{Addr, BankMsg, Coin, CosmosMsg, DepsMut, Env, MessageInfo, Response}; +use cosmwasm_std::{BankMsg, Coin, CosmosMsg, DepsMut, Env, MessageInfo, Response}; use white_whale_std::pool_network::asset::PairType; use crate::{ @@ -204,11 +204,11 @@ pub fn provide_liquidity( pub fn withdraw_liquidity( deps: DepsMut, env: Env, - sender: Addr, - amount: Uint128, + info: MessageInfo, pair_identifier: String, ) -> Result { let config = MANAGER_CONFIG.load(deps.storage)?; + let amount = info.funds[0].amount; // check if the withdraw feature is enabled if !config.feature_toggle.withdrawals_enabled { return Err(ContractError::OperationDisabled( @@ -219,7 +219,10 @@ pub fn withdraw_liquidity( // Get the pair by the pair_identifier let mut pair = get_pair_by_identifier(&deps.as_ref(), &pair_identifier)?; let liquidity_token = pair.lp_denom.clone(); - + // Verify that the LP token was sent + if info.funds.is_empty() || info.funds[0].denom != liquidity_token { + return Err(ContractError::Unauthorized {}); + } // Get the total share of the pool let total_share = get_total_share(&deps.as_ref(), liquidity_token.clone())?; @@ -243,7 +246,7 @@ pub fn withdraw_liquidity( // Transfer the refund assets to the sender messages.push(CosmosMsg::Bank(BankMsg::Send { - to_address: sender.to_string(), + to_address: info.sender.to_string(), amount: refund_assets.clone(), })); @@ -264,7 +267,7 @@ pub fn withdraw_liquidity( // update pool info Ok(Response::new().add_messages(messages).add_attributes(vec![ ("action", "withdraw_liquidity"), - ("sender", sender.as_str()), + ("sender", info.sender.as_str()), ("withdrawn_share", &amount.to_string()), ])) }