Open code423n4 opened 1 year ago
low decimal, cheap token cause rounding to 0
141345 marked the issue as primary issue
141345 marked the issue as duplicate of #316
141345 marked the issue as not a duplicate
141345 marked the issue as primary issue
Keref marked the issue as sponsor confirmed
Keref marked the issue as disagree with severity
((TOKEN0_PRICE * 10 ** TOKEN1.decimals) must be greater than TOKEN1_PRICE)
Both prices are given with 8 decimals as per Chainlink. Considering lowest possible case of USDC with only 6 decimals, that means the price of the token must be lower than 1e-6 USDC. Low impact in practice as there is no such token listed on Chainlink.
It makes sense anyway to update the code according to the recommendation
gzeon-c4 marked the issue as satisfactory
gzeon-c4 changed the severity to QA (Quality Assurance)
gzeon-c4 marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/TokenisableRange.sol#L333-L339
Vulnerability details
Impact
returnExpectedBalanceWithoutFees
is a crucial function that will return the amount of token0 and token1 from the given price, ticks price and liquidity. However, the calculation of sqrt price using oracle price has very minimal underflow protection, could go underflow for certain pairs.Proof of Concept
This is the calculation inside
returnExpectedBalanceWithoutFees
:https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/TokenisableRange.sol#L338
It can be observed that it has inner calculation :
This calculation have very minimal underflow protection (
(TOKEN0_PRICE * 10 ** TOKEN1.decimals)
must be greater thanTOKEN1_PRICE
), especially whenTOKEN1.decimals
is low andTOKEN0_PRICE
value is very low compared toTOKEN1_PRICE
.When this happened (price underflow to 0) and passed to
getAmountsForLiquidity
, the function will always process and return onlyamt0
. This will result wrong amount is calculated and used when deciding amount to process insideclaimFees
.Tools Used
Manual review
Recommended Mitigation Steps
Change the operation when calculating price using this calculation to improve overflow/underflow protection :
reference : https://github.com/makerdao/univ3-lp-oracle
Assessed type
Math