NuriRouterConnector Manual Review Findings

NRC-01M: Inexistent Approval of LP Units

Type	Severity	Location
Logical Fault		NuriRouterConnector.sol:L49-L58

Description:

The NuriRouterConnector::removeLiquidity function does not approve the LP asset that will ultimately be burned to extract the relevant funds, rendering the integration incompatible.

Impact:

The current NuriRouterConnector::removeLiquidity function implementation is incompatible with the Nuri Exchange implementation as it does not provide an adequate approval of the LP units removed toward the router implementation.

Example:

Copy
43function removeLiquidity(
44    RemoveLiquidityParams memory removeLiquidityParams
45) external override {
46    NuriLiquidityExtraData memory _extraData = abi.decode(
47        removeLiquidityParams.extraData, (NuriLiquidityExtraData)
48    );
49    IRamsesRouter(removeLiquidityParams.router).removeLiquidity(
50        removeLiquidityParams.tokens[0],
51        removeLiquidityParams.tokens[1],
52        _extraData.isStablePool,
53        removeLiquidityParams.lpAmountIn,
54        removeLiquidityParams.minAmountsOut[0],
55        removeLiquidityParams.minAmountsOut[1],
56        address(this),
57        block.timestamp
58    );
59}

Recommendation:

We advise the referenced function to properly approve the relevant pair that the LP amounts are attached to toward the router, ensuring that the liquidity removal operation succeeds properly.

Alleviation (6ab7af3bb495b817ffec469255ea679b1813eecb):

The referenced code is no longer present in the revised contract, rendering it no longer applicable.