search

code-423n4 / 2023-11-panoptic-findings

0 stars 0 forks source link

Lack of validation for PoolId #604

Closed c4-bot-6 closed 10 months ago

c4-bot-6 commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-11-panoptic/blob/main/contracts/libraries/PanopticMath.sol#L38

Vulnerability details

Impact

PoolId is used for indexing or tracking specific pools, validating that the conversion accurately represents the intended pool ID range and that it's used consistently across the system would be essential

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

Tools Used

Recommended Mitigation Steps

Depending on the purpose, consider adding checks or validations to ensure the correctness and validity of the converted pool ID

function getPoolId(address univ3pool) internal pure returns (uint64) { require(univ3pool != address(0), "Invalid pool address"); uint64 poolId = uint64(uint160(univ3pool) >> 96); // Additional checks or logging related to poolId usage // ... return poolId; }

Assessed type

Invalid Validation

c4-judge commented 10 months ago

Picodes marked the issue as unsatisfactory: Invalid