The amount of tokens received from UniswapV3Pool functions might be manipulated by front-runners due to the decentralized nature of AMMs, where the order of transactions can not be pre-determined. A potential “sandwicher” may insert a buying order before the call
Proof of Concept
function _mintLiquidity(
LiquidityChunk liquidityChunk,
IUniswapV3Pool univ3pool
) internal returns (LeftRightSigned movedAmounts) {
// build callback data
bytes memory mintdata = abi.encode(
CallbackLib.CallbackData({ // compute by reading values from univ3pool every time
poolFeatures: CallbackLib.PoolFeatures({
token0: univ3pool.token0(),
token1: univ3pool.token1(),
fee: univ3pool.fee()
}),
payer: msg.sender
})
);
/// mint the required amount in the Uniswap pool
/// @dev this triggers the uniswap mint callback function
(uint256 amount0, uint256 amount1) = univ3pool.mint(
address(this),
liquidityChunk.tickLower(),
liquidityChunk.tickUpper(),
liquidityChunk.liquidity(),
mintdata
);
// amount0 The amount of token0 that was paid to mint the given amount of liquidity
// amount1 The amount of token1 that was paid to mint the given amount of liquidity
// no need to safecast to int from uint here as the max position size is int128
movedAmounts = LeftRightSigned.wrap(0).toRightSlot(int128(int256(amount0))).toLeftSlot(
int128(int256(amount1))
);
}
Tools Used
Recommended Mitigation Steps
add extra priventive measure to secure this attack
Lines of code
https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/SemiFungiblePositionManager.sol#L1185
Vulnerability details
Impact
The amount of tokens received from UniswapV3Pool functions might be manipulated by front-runners due to the decentralized nature of AMMs, where the order of transactions can not be pre-determined. A potential “sandwicher” may insert a buying order before the call
Proof of Concept
Tools Used
Recommended Mitigation Steps
add extra priventive measure to secure this attack
Assessed type
Context