Open code423n4 opened 1 year ago
gzeon-c4 marked the issue as satisfactory
gzeon-c4 marked the issue as selected for report
It's been mentioned in the review comments. Basically we dont add liquidity there for various reasons (likely already overallocated, unclear deposit strategy) Additionally the activeTickeIndex doent mean the tick is active (maybe misnomer) but points to the first tick above. Actually the probability that the price is in the tick is low and we just skip depositing in that case
@gzeon-c4 hey, actually this issue is already raised at the original contest, see #414
gzeon-c4 changed the severity to QA (Quality Assurance)
gzeon-c4 marked the issue as not selected for report
Hi @gzeon-c4, I would ask to reconsider the Med removal, considering the following:
#43
alone the GeVault can (by pure chance) end up deploying to the active ticker, this issue prevents correct deployments 100% of timesThis isnt a medium risk because there are no funds at risk and it follows our allocation strategy. Mitigation of the issue is to avoid reverting, not picking a different allocation strategy
Lines of code
https://github.com/GoodEntry-io/ge/blob/c7c7de57902e11e66c8186d93c5bb511b53a45b8/contracts/GeVault.sol#L359 https://github.com/GoodEntry-io/ge/blob/c7c7de57902e11e66c8186d93c5bb511b53a45b8/contracts/GeVault.sol#L360
Vulnerability details
In the new implementation, when deploying assets to the TokenisableRange instances, GeVault always sends a fixed amount for one asset and zero for the other asset:
However, the active ticker (
newTickIndex
), by definition of active ticker, requires depositing non-zero amounts for both assets. If one of the two is zero, only a little amount of liquidity will generated, and the provided asset will go mostly unused, causing the TokenisableRange's deposit slippage check to fail.Impact
GeVault will consistently fail to deploy assets to the active ticker. Since the active ticker is the one that's traded and generates fees, always depositing outside of that ticker makes the GeVault contract completely lose its intended functionality of concentrating liquidity where it produces value.
Proof of Concept
Tools Used
Code review, Foundry
Recommended Mitigation Steps
When deploying assets to the active ticker (not needed for the others), cap the sent amounts to what's needed to prevent the slippage check from failing:
with the
exactTokenAmounts
utility function being added to TokenisableRange:The change to GeVault should be safe to apply because the
poolMatchesOracle()
check removes the need for a further slippage check.Assessed type
Uniswap