The unchecked divergence of the payoutAmount and actual fee value due to price changes allows extractable value and undermines the arbitrage incentives essential to UniStaker's design. Adding circuit breakers and an adjustable payout amount based on price data would significantly improve the system's resiliency.
Vulnerability Details
V3FactoryOwner.claimFees() mechanism relies on arbitrage from external parties to consistently buy fee tokens in exchange for paying the payoutAmount of WETH. Drastic changes in the WETH/fee token price ratio can make this arbitrage unprofitable. This breaks the economic incentives that power this auction-based fee collection system.
function claimFees(
IUniswapV3PoolOwnerActions _pool,
address _recipient,
uint128 _amount0Requested,
uint128 _amount1Requested
) external returns (uint128, uint128) {
// Collects fees by paying payoutAmount of WETH <@
PAYOUT_TOKEN.safeTransferFrom(msg.sender, address(REWARD_RECEIVER), payoutAmount);
REWARD_RECEIVER.notifyRewardAmount(payoutAmount);
(uint128 _amount0, uint128 _amount1) =
_pool.collectProtocol(_recipient, _amount0Requested, _amount1Requested);
// Protect the caller from receiving less than requested. See `collectProtocol` for context.
if (_amount0 < _amount0Requested || _amount1 < _amount1Requested) {
revert V3FactoryOwner__InsufficientFeesCollected();
}
// Value of fees rewarded could deviate greatly from payoutAmount
emit FeesClaimed(address(_pool), msg.sender, _recipient, _amount0, _amount1);
return (_amount0, _amount1);
}
If the price ratio changes cause the value of the fee tokens to differ substantially from the payoutAmount of WETH, it breaks the economic incentive for buyers.
Impact
Fees accumulate without being collected if arbitrage becomes unviable
Reward consistency suffers with changing frequency of notifications
First-mover advantages appear for holders detecting price shifts
For example, if WETH quadruples in value compared to stablecoin fee tokens, buyers would have to overpay 4X to claim fees. This would likely fully deter fee collection.
Conversely, a 75% drop in WETH price would greatly incentivize rapid collection of all fees before price recoveries. This could cause reward consistency issues.
Proof of Concept
An attacker monitors the WETH/USDC price ratio, waiting for a 30% drop in ETH value. When this occurs:
They instantly call V3FactoryOwner.claimFees(), paying the still-high payoutAmount in cheapened WETH
This lets them claim an excessive portion of USDC fees compared to the WETH spent
The attacker profits from the temporary price divergence
Reward consistency suffers as large fee chunks are extracted
To carry out the attack, the attacker needs accounts with pre-approved WETH to spend and needs to monitor pricing data. No other special access is required.
Tools Used
Manual
Recommended Mitigation Steps
Implement configurable circuit breakers around price drift thresholds in claimFees()
Lines of code
https://github.com/code-423n4/2024-02-uniswap-foundation/blob/5298812a129f942555466ebaa6ea9a2af4be0ccc/src/V3FactoryOwner.sol#L181-L198
Vulnerability details
Summary
The unchecked divergence of the
payoutAmount
and actual fee value due to price changes allows extractable value and undermines the arbitrage incentives essential to UniStaker's design. Adding circuit breakers and an adjustable payout amount based on price data would significantly improve the system's resiliency.Vulnerability Details
V3FactoryOwner.claimFees()
mechanism relies on arbitrage from external parties to consistently buy fee tokens in exchange for paying thepayoutAmount
of WETH. Drastic changes in the WETH/fee token price ratio can make this arbitrage unprofitable. This breaks the economic incentives that power this auction-based fee collection system.In V3FactoryOwner.claimFees()
If the price ratio changes cause the value of the fee tokens to differ substantially from the
payoutAmount
of WETH, it breaks the economic incentive for buyers.Impact
For example, if WETH quadruples in value compared to stablecoin fee tokens, buyers would have to overpay 4X to claim fees. This would likely fully deter fee collection.
Conversely, a 75% drop in WETH price would greatly incentivize rapid collection of all fees before price recoveries. This could cause reward consistency issues.
Proof of Concept
An attacker monitors the WETH/USDC price ratio, waiting for a 30% drop in ETH value. When this occurs:
V3FactoryOwner.claimFees()
, paying the still-highpayoutAmount
in cheapened WETHTools Used
Manual
Recommended Mitigation Steps
Implement configurable circuit breakers around price drift thresholds in
claimFees()
payoutAmount
adjustment mechanismsAdd an oracle-connected mechanism to algorithmically adjust the
payoutAmount
to maintain an even WETH/fee value ratioAssessed type
Other