Remove launchpadSell function from MegaRouterFacet
Description
The launchpadSell
function allows a user to sell a specified amount of LaunchToken
through the trusted Launchpad contract. It transfers amountInBase
LaunchToken
from the caller to the contract, approves the Launchpad contract to spend them, and then executes the sale via the sell
function.
function launchpadSell(address token, uint256 amountInBase, uint256 worstAmountOutQuote)
external
returns (uint256 baseSpent, uint256 quoteBought)
{
token.safeTransferFrom(msg.sender, address(this), amountInBase);
token.safeApprove(address(launchpad), amountInBase);
return launchpad.sell(token, msg.sender, amountInBase, worstAmountOutQuote);
}
The problem is that LaunchToken
are locked for transfers until the BONDING_SUPPLY
amount of tokens is sold. Tokens can only be transferred to or from the Launchpad
contract.
Impact
The caller cannot provide the tokens to this contract, making the function unusable. And after the BONDING_SUPPLY
amount of tokens is sold, all remaining tokens will be moved to the UniswapV2 pool, making this function unusable as well.
The caller cannot provide the tokens to this contract, making the function unusable during the bonding curve phase. Additionally, once the BONDING_SUPPLY
amount of tokens is sold, all remaining tokens will be moved to the UniswapV2 pool, causing this function to remain unusable indefinitely.
Recommendations
Since the launchpadSell
function cannot be used at any point due to the transfer restrictions on LaunchToken
, we recommend removing this function entirely from the contract.
Remediation
This issue has been acknowledged by Liquid Labs, Inc., and a fix was implemented in commit df320180↗.
Liquid Labs, Inc. provided the following response:
This commit removed launchpad.Sell from the router, however for the next audit, we decided to beef up the pre-graduation transfer guards in LaunchToken to allow the router to transfer and sell