[Lines of code](https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/LiquidityPool.sol#L214-L217) # Vulnerability details ## Impact When users seek to invest in a Centrifuge pool using liquidity pools, the initial step involves calling the requestDepositOrder function to send a deposit request to the Centrifuge chain. During this process, necessary state variables such as max deposit/mint values are updated. Subsequently, the Centrifuge chain responds with data that is stored within the investManager.sol contract. This data remains associated with the epoch in which the request was initiated and becomes executable in the upcoming epoch. However, users have the ability to reduce their deposit orders by calling the decreaseDepositRequest, reclaim their currencies, and subsequently call the deposit function to mint TT tokens without requiring any currency. more details in POC. ## Proof of Concept Let's consider a hypothetical scenario in which the currency is DAI, and the Tranche token to be minted is TT. Alice intends to deposit/invest 10,000 USDC at a rate of 1.25 DAI per USDC, resulting in her receiving 8,000 TT. 1-Alice's first action is to call the requestDepositOrder function, which sends an deposit order request to the Centrifuge chain. Upon receiving the result, the investManager.sol contract updates both maxDeposit and maxMint values to reflect the requested deposit amount and the TT tokens to be received. This update occurs in these [lines](https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/InvestmentManager.sol#L248-L249). the requestDepositOrder in the investManger.sol that will be called by the public [requestDepositOrder](https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/LiquidityPool.sol#L214-L217) function in the liquidityPool: function requestDeposit(uint256 currencyAmount, address user) public auth { address liquidityPool = msg.sender; LiquidityPoolLike lPool = LiquidityPoolLike(liquidityPool); address currency = lPool.asset(); uint128 _currencyAmount = _toUint128(currencyAmount); // Check if liquidity pool currency is supported by the Centrifuge pool poolManager.isAllowedAsPoolCurrency(lPool.poolId(), currency); // Check if user is allowed to hold the restricted tranche tokens _isAllowedToInvest(lPool.poolId(), lPool.trancheId(), currency, user); if (_currencyAmount == 0) { // Case: outstanding investment orders only needed to be cancelled gateway.cancelInvestOrder( lPool.poolId(), lPool.trancheId(), user, poolManager.currencyAddressToId(lPool.asset()) ); return; } // Transfer the currency amount from user to escrow. (lock currency in escrow). SafeTransferLib.safeTransferFrom(currency, user, address(escrow), _currencyAmount); gateway.increaseInvestOrder( lPool.poolId(), lPool.trancheId(), user, poolManager.currencyAddressToId(lPool.asset()), _currencyAmount ); } As implemented in the code above, the entire currency amount is transferred to the [escrow](https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/Escrow.sol) contract. Subsequently, the increaseInvestOrder function is called, initiating the transmission of encoded data to the Centrifuge chain through the router. 2- Upon the return of the call from the Centrifuge chain the [execute](https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/gateway/routers/axelar/Router.sol#L73-L86>) function from router will invoked which will call the [handle]() function from the gateway contract to send the data to the investManger.sol by calling [handleExecutedCollectInvest]() will call the [_calculatePrice](