Putting the LP token as an LP to a pool makes it unredeemable
An LP token deposited into a pool and then withdrawn is permanently unredeemable. A malicious user can taint LP tokens in this way and sell them as worthless assets to third parties.
Description
The guard against burning the LP token when it is part of the pool/contract reserves checks contract_reserves for None. This is needed because of the Fuel UTXO model: when burning the token, it needs to be owned by the contract. The token could either be owned by the contract because it was transferred as part of the LP burning call, or because it is held as LP reserves.
The problem is that the condition still prevents burning even if the LP token was once in a pool but has since been withdrawn. The LP token pool is empty, but the check still prevents burning:
require(storage_keys.contract_reserves.get(asset_id).try_read().is_none(),PoolCurveStateError::InvalidLPTokenBalance,);
If someone creates a pool using the LP token as an asset and then withdraws that LP token from that pool, this condition will still revert because contract_reserves is no longer None, despite the pool created being empty already.
Impact
A malicious user could "taint" an LP token in this way and then deposit it on a third-party system or sell it, while because of its unredeemability the token will be worthless.
Recommendation
Change the require statement so that when contract_reserves returns something else than None, the check passes if the value is zero.
Resolution
Fixed in commit 65509ec685e322498357504cf75967b06f69314d.
