Rebalancing logic in TalosBaseStrategy will start by the strategy manager calling TalosBaseStrategy.rebalance() to swap imbalanced tokens. This function will call TalosStrategySimple.doRebalance()
We can see that Uniswap getQuoteAtTicks()handles the case for sqrtRatioX96 <= type(uint128).max.
Impact
Aside from sqrtPriceX96 being subject to overflow, it's also possible for sqrtPriceX96 to be smaller than 128 bits but to exactSqrtPriceImpact to overflow since it's being multiplied by _strategy.priceImpactPercentage() and the resulting value will be incremented or decremented depending on zeroForOne.
On either case, the value returned by PoolVariables.getSwapToEqualAmountsParams() will be wrong and strategies might be rebalanced incorrectly since an incorrect sqrtPriceLimitX96 would be passed to pool.swap.
Lines of code
https://github.com/code-423n4/2023-05-maia/blob/main/src/talos/libraries/PoolVariables.sol#L231-L252
Vulnerability details
Proof of Concept
Rebalancing logic in
TalosBaseStrategy
will start by the strategy manager callingTalosBaseStrategy.rebalance()
to swap imbalanced tokens. This function will callTalosStrategySimple.doRebalance()
https://github.com/code-423n4/2023-05-maia/blob/main/src/talos/base/TalosBaseStrategy.sol#L317
Next,
PoolActions.swapEqualAmounts()
will be called.https://github.com/code-423n4/2023-05-maia/blob/main/src/talos/strategies/TalosStrategySimple.sol#L42
Finally,
PoolVariables.getSwapToEqualAmountsParams()
will be called to calculate the amounts base of ticks from the uniswap v3 pool.https://github.com/code-423n4/2023-05-maia/blob/main/src/talos/libraries/PoolActions.sol#L41
The issue is that
sqrtPriceX96
inPoolVariables.getSwapToEqualAmountsParams()
can overflow.https://github.com/code-423n4/2023-05-maia/blob/main/src/talos/libraries/PoolVariables.sol#L231-L252
We can see that Uniswap
getQuoteAtTicks()
handles the case forsqrtRatioX96 <= type(uint128).max
.Impact
Aside from
sqrtPriceX96
being subject to overflow, it's also possible forsqrtPriceX96
to be smaller than 128 bits but toexactSqrtPriceImpact
to overflow since it's being multiplied by_strategy.priceImpactPercentage()
and the resulting value will be incremented or decremented depending onzeroForOne
.https://github.com/code-423n4/2023-05-maia/blob/main/src/talos/libraries/PoolVariables.sol#L251-L252
On either case, the value returned by
PoolVariables.getSwapToEqualAmountsParams()
will be wrong and strategies might be rebalanced incorrectly since an incorrectsqrtPriceLimitX96
would be passed topool.swap
.https://github.com/code-423n4/2023-05-maia/blob/main/src/talos/libraries/PoolActions.sol#L46-L52
Tools Used
Manual review.
Recommended Mitigation Steps
Account for potential overflow in
sqrtPriceX96
andexactSqrtPriceImpact
insidePoolVariables.getSwapToEqualAmountsParams()
.Assessed type
Under/Overflow