Temporary manipulation or pricing failures around PAYOUT_TOKEN allows attackers to strategically exploit the lack of oracle indexing on payoutAmount to drain excess value from pools. Adding a pricing oracle would close this attack vector.
Impact
Manipulation of PAYOUT_TOKEN prices could enable attackers to extract excess value from the protocol by strategically stalling or draining fee collection from V3 pools.
uint256 public payoutAmount;
IERC20 public immutable PAYOUT_TOKEN;
An attacker could exploit the pricing oracle failures or manipulate prices as follows:
Short PAYOUT_TOKEN until price drops 50% lower than indexed value
payoutAmount is now underpriced relative to pool token values
Attacker starts rapidly draining fees from pools via claimFees, paying cheap PAYOUT_TOKEN to extract more value in pool tokens
Repeated draining extracts significant value before the discrepancy is addressed
The root issue is V3FactoryOwner.payoutAmount lacks a pricing oracle to dynamically adjust based on PAYOUT_TOKEN price changes. This allows the manipulation or exploitation described above.
Without automatic adjustment, temporary price discrepancies can be exploited to intentionally pay low payoutAmounts to drain higher pool token values. This channels excess value to attackers.
Tools Used
VS
Recommended Mitigation Steps
Implement a pricing oracle (e.g. Chainlink) to dynamically update payoutAmount and Monitor pricing differentials and pause draining if manipulation detected
Lines of code
https://github.com/code-423n4/2024-02-uniswap-foundation/blob/5298812a129f942555466ebaa6ea9a2af4be0ccc/src/V3FactoryOwner.sol#L69 https://github.com/code-423n4/2024-02-uniswap-foundation/blob/5298812a129f942555466ebaa6ea9a2af4be0ccc/src/V3FactoryOwner.sol#L72
Vulnerability details
Summary
Temporary manipulation or pricing failures around
PAYOUT_TOKEN
allows attackers to strategically exploit the lack of oracle indexing onpayoutAmount
to drain excess value from pools. Adding a pricing oracle would close this attack vector.Impact
Manipulation of
PAYOUT_TOKEN
prices could enable attackers to extract excess value from the protocol by strategically stalling or draining fee collection from V3 pools.Proof of Concept
In the
V3FactoryOwner.payoutAmount
variable andPAYOUT_TOKEN
price dependency:An attacker could exploit the pricing oracle failures or manipulate prices as follows:
Short
PAYOUT_TOKEN
until price drops 50% lower than indexed valuepayoutAmount
is now underpriced relative to pool token valuesAttacker starts rapidly draining fees from pools via
claimFees
, paying cheapPAYOUT_TOKEN
to extract more value in pool tokensRepeated draining extracts significant value before the discrepancy is addressed
Tools Used
VS
Recommended Mitigation Steps
Implement a pricing oracle (e.g. Chainlink) to dynamically update
payoutAmount
and Monitor pricing differentials and pause draining if manipulation detectedAssessed type
Oracle