search

code-423n4 / 2024-02-uniswap-foundation-findings

2 stars 3 forks source link

Vulnerable payout mechanism enables strategic extraction of excess pool value. #240

Closed c4-bot-5 closed 7 months ago

c4-bot-5 commented 7 months ago

Lines of code

https://github.com/code-423n4/2024-02-uniswap-foundation/blob/5298812a129f942555466ebaa6ea9a2af4be0ccc/src/V3FactoryOwner.sol#L69 https://github.com/code-423n4/2024-02-uniswap-foundation/blob/5298812a129f942555466ebaa6ea9a2af4be0ccc/src/V3FactoryOwner.sol#L72

Vulnerability details

Summary

Temporary manipulation or pricing failures around PAYOUT_TOKEN allows attackers to strategically exploit the lack of oracle indexing on payoutAmount to drain excess value from pools. Adding a pricing oracle would close this attack vector.

Impact

Manipulation of PAYOUT_TOKEN prices could enable attackers to extract excess value from the protocol by strategically stalling or draining fee collection from V3 pools.

Proof of Concept

In the V3FactoryOwner.payoutAmount variable and PAYOUT_TOKEN price dependency:

uint256 public payoutAmount;

IERC20 public immutable PAYOUT_TOKEN;

An attacker could exploit the pricing oracle failures or manipulate prices as follows:

  1. Short PAYOUT_TOKEN until price drops 50% lower than indexed value

  2. payoutAmount is now underpriced relative to pool token values

  3. Attacker starts rapidly draining fees from pools via claimFees, paying cheap PAYOUT_TOKEN to extract more value in pool tokens

  4. Repeated draining extracts significant value before the discrepancy is addressed

The root issue is V3FactoryOwner.payoutAmount lacks a pricing oracle to dynamically adjust based on PAYOUT_TOKEN price changes. This allows the manipulation or exploitation described above.

Without automatic adjustment, temporary price discrepancies can be exploited to intentionally pay low payoutAmounts to drain higher pool token values. This channels excess value to attackers.

Tools Used

VS

Recommended Mitigation Steps

Implement a pricing oracle (e.g. Chainlink) to dynamically update payoutAmount and Monitor pricing differentials and pause draining if manipulation detected

Assessed type

Oracle

c4-judge commented 7 months ago

MarioPoneder marked the issue as unsatisfactory: Insufficient proof