Open c4-bot-1 opened 9 months ago
0xleastwood marked the issue as primary issue
Really interesting side effect of upgrading code from solidity < 0.8 👍
Oh this one is great. Will update the code to uncheck feeGrowthInside0X128
and feeGrowthInside1X128
calculations.
0xleastwood marked the issue as selected for report
wukong-particle (sponsor) confirmed
Lines of code
https://github.com/code-423n4/2023-12-particle/blob/main/contracts/libraries/Base.sol#L318-L342
Vulnerability details
Impact
When operations need to calculate Uniswap V3 position's fee growth, it used similar function implemented by uniswap v3. However, according to this known issue : https://github.com/Uniswap/v3-core/issues/573. The contract is implicitly relies on underflow/overflow when calculating the fee growth, if underflow is prevented, some operations that rely on fee growth will revert.
Proof of Concept
It can be observed that current implementation of
getFeeGrowthInside
not allow underflow/overflow to happen when calculatingfeeGrowthInside0X128
andfeeGrowthInside1X128
, because the contract used solidity 0.8.23.https://github.com/code-423n4/2023-12-particle/blob/main/contracts/libraries/Base.sol#L318-L342
This could impact crucial operation that rely on this call, such as liquidation, could revert unexpectedly. This behavior is quite often especially for pools that use lower fee.
Coded PoC :
Add the following test to
/test/OpenPosition.t.sol
:Also modify
FEE
inside/test/Base.t.sol
to500
:Run the test :
Log output :
It can be observed that the liquidation revert due to the underflow.
Tools Used
Manual review.
Recommended Mitigation Steps
Use unchecked when calculating
feeGrowthInside0X128
andfeeGrowthInside1X128
.Assessed type
Error