Modified hasZetaLiquidity function designed to provide a reliable, dynamic, and customizable way to assess liquidity for Zeta token swaps in Uniswap V3

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-11-zetachain/blob/main/repos/protocol-contracts/contracts/evm/tools/ZetaTokenConsumerUniV3.strategy.sol#L184

Vulnerability details

Impact

Consider the modifications to the hasZetaLiquidity function, which are designed to provide a reliable, dynamic, and customizable way to assess liquidity for Zeta token swaps in Uniswap V3. This enhancement is vital for the secure and efficient operation of the token exchange processes within the ZetaChain ecosystem.

Changes Made: Liquidity Check Enhancement in hasZetaLiquidity: Added a more robust method to check the liquidity in the Uniswap V3 pool. The updated code first checks if the pool address for the WETH9 and zetaToken pair exists (poolAddress == address(0)).If the pool exists, it retrieves the liquidity of the pool (pool.liquidity()).

Introduced a threshold: (sufficientLiquidityThreshold) to define what is considered 'sufficient liquidity' for operational purposes.

Returning a Boolean Value Based on Liquidity: The function now returns true if the pool's liquidity exceeds the defined threshold, indicating sufficient liquidity for token swaps. Returns false if the liquidity is below the threshold or if the pool doesn't exist.

Proof of Concept

The current implementation checks if the pool address exists and then queries the liquidity of the pool.

To insure he hasZetaLiquidity() function checks if there is sufficient liquidity in the Uniswap V3 pool for Zeta token swaps, consider ensuring that the method of checking liquidity (pool.liquidity() > 0) is reliable and aligns with your definition of 'sufficient liquidity'.

Proposed Code Changes:

Here's an outline of the changes for the hasZetaLiquidity function:

function hasZetaLiquidity() external view override returns (bool) { address poolAddress = uniswapV3Factory.getPool(WETH9Address, zetaToken, zetaPoolFee);

if (poolAddress == address(0)) {
    return false;
}

// If pool does exist, get its liquidity
IUniswapV3Pool pool = IUniswapV3Pool(poolAddress);
uint256 poolLiquidity = pool.liquidity();

// Define a threshold for sufficient liquidity, if needed
uint256 sufficientLiquidityThreshold = /* define a threshold */;

return poolLiquidity > sufficientLiquidityThreshold;

}

In the ZetaTokenConsumerUniV3 contract, the following changes were proposed, particularly to the hasZetaLiquidity function:

Tools Used

VS Code

Recommended Mitigation Steps

Rationale Behind the Changes:

Accurate Liquidity Assessment: The updated liquidity check provides a more accurate and practical assessment of whether the pool has enough liquidity for Zeta token swaps. This is crucial for ensuring that the token exchange operations can be executed efficiently and without disruption.

Customizable and Dynamic Liquidity Threshold: By introducing a liquidity threshold, the contract can adapt to different operational requirements and market conditions. This threshold allows for flexibility and can be set based on historical data, trading volumes, or other relevant metrics.

Improved Functionality for Consumers: The boolean return value offers a clear and straightforward indication of the pool's liquidity status. This is particularly useful for functions or external callers that rely on the liquidity information to make decisions or execute trades.

Conclusion: The changes focus on enhancing the robustness of token exchange functions and the reliability of the liquidity check. It's crucial to ensure that the contract can handle various scenarios securely, especially when interacting with external protocols like Uniswap V3.

Assessed type

Access Control

[c4-pre-sort]

DadeKuma marked the issue as insufficient quality report

[c4-judge]

0xean marked the issue as unsatisfactory: Insufficient quality