Unchecked price ratio changes undermine fee collection, impacting rewards and incentives.

[c4-bot-9]

Lines of code

https://github.com/code-423n4/2024-02-uniswap-foundation/blob/5298812a129f942555466ebaa6ea9a2af4be0ccc/src/V3FactoryOwner.sol#L181-L198

Vulnerability details

Summary

The unchecked divergence of the payoutAmount and actual fee value due to price changes allows extractable value and undermines the arbitrage incentives essential to UniStaker's design. Adding circuit breakers and an adjustable payout amount based on price data would significantly improve the system's resiliency.

Vulnerability Details

V3FactoryOwner.claimFees() mechanism relies on arbitrage from external parties to consistently buy fee tokens in exchange for paying the payoutAmount of WETH. Drastic changes in the WETH/fee token price ratio can make this arbitrage unprofitable. This breaks the economic incentives that power this auction-based fee collection system.

In V3FactoryOwner.claimFees()

function claimFees(
    IUniswapV3PoolOwnerActions _pool,
    address _recipient,
    uint128 _amount0Requested,
    uint128 _amount1Requested
  ) external returns (uint128, uint128) {

    // Collects fees by paying payoutAmount of WETH <@
    PAYOUT_TOKEN.safeTransferFrom(msg.sender, address(REWARD_RECEIVER), payoutAmount);
    REWARD_RECEIVER.notifyRewardAmount(payoutAmount);
    (uint128 _amount0, uint128 _amount1) =
      _pool.collectProtocol(_recipient, _amount0Requested, _amount1Requested);

    // Protect the caller from receiving less than requested. See `collectProtocol` for context.
    if (_amount0 < _amount0Requested || _amount1 < _amount1Requested) {
      revert V3FactoryOwner__InsufficientFeesCollected();
    }

    // Value of fees rewarded could deviate greatly from payoutAmount
    emit FeesClaimed(address(_pool), msg.sender, _recipient, _amount0, _amount1);
    return (_amount0, _amount1);
  }

If the price ratio changes cause the value of the fee tokens to differ substantially from the payoutAmount of WETH, it breaks the economic incentive for buyers.

Impact

• Fees accumulate without being collected if arbitrage becomes unviable
• Reward consistency suffers with changing frequency of notifications
• First-mover advantages appear for holders detecting price shifts

For example, if WETH quadruples in value compared to stablecoin fee tokens, buyers would have to overpay 4X to claim fees. This would likely fully deter fee collection.

Conversely, a 75% drop in WETH price would greatly incentivize rapid collection of all fees before price recoveries. This could cause reward consistency issues.

Proof of Concept

An attacker monitors the WETH/USDC price ratio, waiting for a 30% drop in ETH value. When this occurs:

1. They instantly call V3FactoryOwner.claimFees(), paying the still-high payoutAmount in cheapened WETH
2. This lets them claim an excessive portion of USDC fees compared to the WETH spent
3. The attacker profits from the temporary price divergence
4. Reward consistency suffers as large fee chunks are extracted

To carry out the attack, the attacker needs accounts with pre-approved WETH to spend and needs to monitor pricing data. No other special access is required.

Tools Used

Manual

Recommended Mitigation Steps

Implement configurable circuit breakers around price drift thresholds in claimFees()

• Build structured payoutAmount adjustment mechanisms

Add an oracle-connected mechanism to algorithmically adjust the payoutAmount to maintain an even WETH/fee value ratio

Assessed type

Other

[MarioPoneder]

https://docs.code4rena.com/awarding/judging-criteria/supreme-court-decisions-fall-2023#verdict-proposal-penalties-for-invalid-submissions See also #287

[c4-judge]

MarioPoneder marked the issue as unsatisfactory: Invalid