The SFPM contract accumulates and checkpoints values like fees, liquidity, and premiums in its state storage variables. For example:
// Accumulates owed fees for removed liquidity
mapping(bytes32 => uint256) private s_accountPremiumOwed
// Accumulates total fees for added liquidity
mapping(bytes32 => uint256) private s_accountPremiumGross
// Tracks net and removed liquidity
mapping(bytes32 => uint256) internal s_accountLiquidity
These values accumulate on-chain per user over time. The contract relies on the persisted state across transactions.
If the underlying blockchain experiences a long re-org and the SFPM contract state is reverted to an earlier point:
All accumulated values would be lost or set to older stale values
User balances, positions, and fee entitlements could be corrupted
Scenario
Bob deposits tokens and mints positions over 1 week, earning fees
At the end of the week, a long 14 block re-org happens on the chain
SFPM contract state reverts to earlier point before Bob's transactions
Bob's positions and earned fees disappear from contract storage
No storage checkpoints to allow contract state recovery on long re-orgs, so User funds and accumulated values can disappear without recourse during long re-orgs. Would lead to broken system state.
Proof of Concept
Persisted user balances and positions can disappear without user recourse, leading to a broken platform state.
As these persisted variables accumulate on-chain and are relied on across transactions, a long reorganization that reverted these mappings to much older states could corrupt user balances and positions.
The risk of this occurring in case of a deep chain re-org, where the contract state reverts to a previous checkpoint, but user expectations and actual deposited amounts are now different. This could break internal accounting and make the system untenable.
Tools Used
Vs Code
Recommended Mitigation Steps
Implement regular state checkpoints in critical state variables.
Lines of code
https://github.com/code-423n4/2023-11-panoptic/blob/aa86461c9d6e60ef75ed5a1fe36a748b952c8666/contracts/SemiFungiblePositionManager.sol#L288-L290 https://github.com/code-423n4/2023-11-panoptic/blob/aa86461c9d6e60ef75ed5a1fe36a748b952c8666/contracts/SemiFungiblePositionManager.sol#L296
Vulnerability details
Impact
The SFPM contract accumulates and checkpoints values like fees, liquidity, and premiums in its state storage variables. For example:
These values accumulate on-chain per user over time. The contract relies on the persisted state across transactions.
If the underlying blockchain experiences a long re-org and the SFPM contract state is reverted to an earlier point:
Scenario
No storage checkpoints to allow contract state recovery on long re-orgs, so User funds and accumulated values can disappear without recourse during long re-orgs. Would lead to broken system state.
Proof of Concept
Persisted user balances and positions can disappear without user recourse, leading to a broken platform state.
https://github.com/code-423n4/2023-11-panoptic/blob/aa86461c9d6e60ef75ed5a1fe36a748b952c8666/contracts/SemiFungiblePositionManager.sol#L288-L290
https://github.com/code-423n4/2023-11-panoptic/blob/aa86461c9d6e60ef75ed5a1fe36a748b952c8666/contracts/SemiFungiblePositionManager.sol#L296
As these persisted variables accumulate on-chain and are relied on across transactions, a long reorganization that reverted these mappings to much older states could corrupt user balances and positions.
The risk of this occurring in case of a deep chain re-org, where the contract state reverts to a previous checkpoint, but user expectations and actual deposited amounts are now different. This could break internal accounting and make the system untenable.
Tools Used
Vs Code
Recommended Mitigation Steps
Implement regular state checkpoints in critical state variables.
Assessed type
Other