Description

The launchpadSell function allows a user to sell a specified amount of LaunchToken through the trusted Launchpad contract. It transfers amountInBase LaunchToken from the caller to the contract, approves the Launchpad contract to spend them, and then executes the sale via the sell function.

function launchpadSell(address token, uint256 amountInBase, uint256 worstAmountOutQuote)
    external
    returns (uint256 baseSpent, uint256 quoteBought)
{
    token.safeTransferFrom(msg.sender, address(this), amountInBase);

    token.safeApprove(address(launchpad), amountInBase);

    return launchpad.sell(token, msg.sender, amountInBase, worstAmountOutQuote);
}

The problem is that LaunchToken are locked for transfers until the BONDING_SUPPLY amount of tokens is sold. Tokens can only be transferred to or from the Launchpad contract.

Impact

The caller cannot provide the tokens to this contract, making the function unusable. And after the BONDING_SUPPLY amount of tokens is sold, all remaining tokens will be moved to the UniswapV2 pool, making this function unusable as well.

The caller cannot provide the tokens to this contract, making the function unusable during the bonding curve phase. Additionally, once the BONDING_SUPPLY amount of tokens is sold, all remaining tokens will be moved to the UniswapV2 pool, causing this function to remain unusable indefinitely.

Recommendations

Since the launchpadSell function cannot be used at any point due to the transfer restrictions on LaunchToken, we recommend removing this function entirely from the contract.

Remediation

This issue has been acknowledged by Liquid Labs, Inc., and a fix was implemented in commit df320180↗.

Liquid Labs, Inc. provided the following response:

This commit removed launchpad.Sell from the router, however for the next audit, we decided to beef up the pre-graduation transfer guards in LaunchToken to allow the router to transfer and sell