Closed c4-bot-4 closed 9 months ago
0xleastwood marked the issue as primary issue
Aren't these leftovers refunded to the borrower during refundWithCheck()
?
I agree with @romeroadrian, these amounts should be gracefully handled by refundWithCheck
and will be sent to the borrower. The LPs should only be entitled cache.amountFromAdd
and cache.amountToAdd
(the actual amount, overwritten at the liquidity increasing step), as it repays the borrowed liquidity amount exactly (experiencing no higher impermanent loss). As it stands, I tend to vote for invalidating this finding, but will let the judge to decide.
It does seem that refundWithCheck
would send back excess funds to the borrower. Will invalidate but let @said017 comment if they disagree with this and have a POC to show otherwise.
0xleastwood marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-12-particle/blob/main/contracts/protocol/ParticlePositionManager.sol#L423-L439
Vulnerability details
Impact
When the position is closed by the traders or due to liquidation, the required amount of tokens to be paid is calculated and added back to the LP Uniswap V3 positions. However, the leftover tokens from the increasing liquidity operation are not accounted properly.
Proof of Concept
When
closePosition
orliquidatePosition
is called, it will eventually trigger_closePosition
, to calculate thecache.amountToAdd
andcache.amountFromAdd
and increase the LP uniswap v3 position by providing those value.https://github.com/code-423n4/2023-12-particle/blob/main/contracts/protocol/ParticlePositionManager.sol#L410-L439
https://github.com/code-423n4/2023-12-particle/blob/main/contracts/libraries/LiquidityPosition.sol#L178-L204
It can be observed that instead of tracking the actual amounts used for the
increaseLiquidity
liquidity operation, it directly updatecache.amountFromAdd
andcache.amountToAdd
instead. so the unused amount (desired vs actual) is not tracked and stuck inside the contract.Tools Used
Manual review
Recommended Mitigation Steps
Instead of directly updating
cache.amountFromAdd
andcache.amountToAdd
using the actual amount fromincreaseLiquidity
, track the unsused amount and add it to the token owed for the LP.Assessed type
Uniswap