The getPoolId() function fails to check the validity of the provided Uniswap v3 pool address. If an invalid address is passed, it could be used to manipulate calls to unintended pools or cause other unintended consequences.
The attacker could obtain the pool ID for a non-existent or malicious pool. This pool ID might then be used to call other functions on that pool, potentially causing unintended actions or losses for users.
The attacker could compromise the integrity of the library by injecting malicious code. This could lead to unintended behavior or even compromise the security of the entire library.
Denial of Service attacks by repeatedly calling the function with invalid addresses resulting in system unavailability due to continous processing of invalid requests
Proof of Concept
For example we have the vulnerable getPoolId function in the PanopticMath library.
We create a contract called MaliciousContract with a trustedPool address.
The manipulateGetPoolId function in MaliciousContract demonstrates how an attacker could manipulate the getPoolId() function by creating a malicious address (maliciousAddress) and calling the vulnerable function with this manipulated address.
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
library PanopticMath {
function getPoolId(address univ3pool) internal pure returns (uint64) {
return uint64(uint160(univ3pool) >> 96);
}
}
contract MaliciousContract {
using PanopticMath for *;
address public trustedPool;
constructor(address _trustedPool) {
trustedPool = _trustedPool;
}
function manipulateGetPoolId() public view returns (uint64) {
// An attacker can manipulate the getPoolId function by passing a malicious address
address maliciousAddress = address(uint160(trustedPool) + 1);
// Call the vulnerable function with the manipulated address
return maliciousAddress.getPoolId();
}
}
Tools Used
VScode
MythX
Remix
Recommended Mitigation Steps
The most important mitigation step is to include proper input validation by adding a check to confirm if it is a valid address in order to fix this vulnerability.
pragma solidity ^0.8.0;
library PanopticMath {
function getPoolId(address univ3pool) internal pure returns (uint64) {
require(isValidAddress(univ3pool), "Invalid pool address");
return uint64(uint160(univ3pool) >> 96);
}
function isValidAddress(address addr) internal pure returns (bool) {
// Check if the address is not zero and has the correct length
return addr != address(0) && addr == address(uint160(addr));
}
}
Lines of code
https://github.com/code-423n4/2023-11-panoptic/blob/aa86461c9d6e60ef75ed5a1fe36a748b952c8666/contracts/libraries/PanopticMath.sol#L38C5-L40C6#L42
Vulnerability details
Impact
The
getPoolId()
function fails to check the validity of the provided Uniswap v3 pool address. If an invalid address is passed, it could be used to manipulate calls to unintended pools or cause other unintended consequences.Proof of Concept
For example we have the vulnerable getPoolId function in the PanopticMath library.
We create a contract called MaliciousContract with a trustedPool address.
The
manipulateGetPoolId
function in MaliciousContract demonstrates how an attacker could manipulate thegetPoolId()
function by creating a malicious address(maliciousAddress)
and calling the vulnerable function with this manipulated address.Tools Used
Recommended Mitigation Steps
The most important mitigation step is to include proper input validation by adding a check to confirm if it is a valid address in order to fix this vulnerability.
Assessed type
Invalid Validation