Closed code423n4 closed 1 year ago
https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/TokenisableRange.sol#L222 https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/TokenisableRange.sol#L239
The deposit amount of a user can be manipulated.
slot0() is extremely easy to manipulate as it is the most recent data point. The issue arises due to there not being any protection against sqrtPriceX96 manipulation.
slot0()
sqrtPriceX96
// @audit no check against sqrtPriceX96 (uint160 sqrtPriceX96,,,,,,) = IUniswapV3Pool(pool).slot0(); (uint256 token0Amount, uint256 token1Amount) = LiquidityAmounts.getAmountsForLiquidity( sqrtPriceX96, TickMath.getSqrtRatioAtTick(lowerTick), TickMath.getSqrtRatioAtTick(upperTick), liquidity); if (token0Amount + fee0 > 0) newFee0 = n0 * fee0 / (token0Amount + fee0); if (token1Amount + fee1 > 0) newFee1 = n1 * fee1 / (token1Amount + fee1); fee0 += newFee0; fee1 += newFee1; n0 -= newFee0; n1 -= newFee1;
https://docs.uniswap.org/contracts/v3/reference/core/interfaces/pool/IUniswapV3PoolState#slot0
Manual Review
Consider using TWAP to make the calculation.
Uniswap
141345 marked the issue as duplicate of #48
gzeon-c4 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/TokenisableRange.sol#L222 https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/TokenisableRange.sol#L239
Vulnerability details
Impact
The deposit amount of a user can be manipulated.
Proof of Concept
slot0()
is extremely easy to manipulate as it is the most recent data point. The issue arises due to there not being any protection againstsqrtPriceX96
manipulation.https://docs.uniswap.org/contracts/v3/reference/core/interfaces/pool/IUniswapV3PoolState#slot0
Tools Used
Manual Review
Recommended Mitigation Steps
Consider using TWAP to make the calculation.
Assessed type
Uniswap