search

code-423n4 / 2023-11-panoptic-findings

0 stars 0 forks source link

Incorrect Fee Collection Logic #592

Closed c4-bot-1 closed 11 months ago

c4-bot-1 commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-11-panoptic/blob/main/contracts/SemiFungiblePositionManager.sol#L1201

Vulnerability details

Impact

The function's logic for calculating the amount of fees to collect may not accurately reflect the fees accrued in the Uniswap V3 pool.

Proof of Concept

// Simplified example to illustrate potential discrepancy in fee collection

// Mock UniswapV3Pool for demonstration purposes contract MockUniswapV3Pool { // Simulated fee calculation function in the actual UniswapV3 pool function getFeesBase(uint128 liquidityChunk) external pure returns (int256 feesBase) { // Simulated fee calculation logic (example values) feesBase = int256(liquidityChunk * 5); // Assuming a fee of 5 times liquidity for demonstration }

// Function to simulate collect method in UniswapV3 pool
function collect(
    address sender,
    uint256 tickLower,
    uint256 tickUpper,
    uint128 amount0,
    uint128 amount1
) external pure returns (uint128, uint128) {
    // Simulated collect function (echo back the amounts)
    return (amount0, amount1);
}

}

contract YourContract { MockUniswapV3Pool public univ3pool;

// Mock liquidity chunk
uint128 public liquidityChunk = 100;

// Assuming this function mimics the _collectAndWritePositionData logic in your contract
function simulateFeeCollection(uint256 currentLiquidity) external returns (int256 collectedOut) {
    uint128 startingLiquidity = uint128(currentLiquidity); // Mock current liquidity for simplicity

    int256 amountToCollect = univ3pool.getFeesBase(liquidityChunk); // Get fees as per assumed logic

    // Rest of the logic for collecting fees (similar to _collectAndWritePositionData)

    // Illustrative example (not real fee calculation)
    uint128 receivedAmount0 = 50; // Example received amount from pool
    uint128 receivedAmount1 = 60; // Example received amount from pool

    // Assuming discrepancy due to different fee calculation logic
    uint128 collected0 = receivedAmount0 - uint128(-amountToCollect.rightSlot()); // Simulated discrepancy
    uint128 collected1 = receivedAmount1 - uint128(-amountToCollect.leftSlot()); // Simulated discrepancy

    collectedOut = int256(0).toRightSlot(collected0).toLeftSlot(collected1);
}

}

Tools Used

Recommended Mitigation Steps

Review and correct the fee collection logic to ensure it accurately calculates the correct amount of fees to collect.

Assessed type

Other

c4-judge commented 11 months ago

Picodes marked the issue as unsatisfactory: Insufficient quality