“sandwiching” front running

[c4-bot-2]

Lines of code

https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/SemiFungiblePositionManager.sol#L1185

Vulnerability details

Impact

The amount of tokens received from UniswapV3Pool functions might be manipulated by front-runners due to the decentralized nature of AMMs, where the order of transactions can not be pre-determined. A potential “sandwicher” may insert a buying order before the call

Proof of Concept

function _mintLiquidity(
    LiquidityChunk liquidityChunk,
    IUniswapV3Pool univ3pool
) internal returns (LeftRightSigned movedAmounts) {
    // build callback data
    bytes memory mintdata = abi.encode(
        CallbackLib.CallbackData({ // compute by reading values from univ3pool every time
                poolFeatures: CallbackLib.PoolFeatures({
                    token0: univ3pool.token0(),
                    token1: univ3pool.token1(),
                    fee: univ3pool.fee()
                }),
                payer: msg.sender
            })
    );

    /// mint the required amount in the Uniswap pool
    /// @dev this triggers the uniswap mint callback function
    (uint256 amount0, uint256 amount1) = univ3pool.mint(
        address(this),
        liquidityChunk.tickLower(),
        liquidityChunk.tickUpper(),
        liquidityChunk.liquidity(),
        mintdata
    );

    // amount0 The amount of token0 that was paid to mint the given amount of liquidity
    // amount1 The amount of token1 that was paid to mint the given amount of liquidity
    // no need to safecast to int from uint here as the max position size is int128
    movedAmounts = LeftRightSigned.wrap(0).toRightSlot(int128(int256(amount0))).toLeftSlot(
        int128(int256(amount1))
    );
}

Tools Used

Recommended Mitigation Steps

add extra priventive measure to secure this attack

Assessed type

Context

[c4-judge]

Picodes marked the issue as unsatisfactory: Invalid