Closed code423n4 closed 1 year ago
141345 marked the issue as duplicate of #78
141345 marked the issue as duplicate of #260
gzeon-c4 marked the issue as unsatisfactory: Insufficient proof
gzeon-c4 changed the severity to QA (Quality Assurance)
gzeon-c4 marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/GeVault.sol#L331 https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/RangeManager.sol#L119 https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/RangeManager.sol#L131 https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/PositionManager/OptionsPositionManager.sol#L135
Vulnerability details
Impact
The amount0Min and amount1Min is at 0, which when withdrawing from UniswapV3 (Positions NFT (UNI-V3-POS)) can make it frontrunning and lose money.
Recommended Mitigation Steps
Add in the removeFromTick function the line "(uint amt0, uint amt1) = tr.getTokenAmounts(aBal)" and send these amounts in the function call on line 331 (tr.withdraw(aBal, amt0, amt1) and in the function from withdraw in TokenisableRange on lines 299 and 300 use the same deposit code (n1 * 95 / 100) to calculate 95% minimum.
Assessed type
Other