search

code-423n4 / 2024-04-panoptic-findings

2 stars 2 forks source link

Attacker can deploy pool with fake token to drain other token in the pair from user who mint option is short call #566

Closed c4-bot-4 closed 2 months ago

c4-bot-4 commented 2 months ago

Lines of code

https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/libraries/InteractionHelper.sol#L48-#L85

Vulnerability details

Vulnerability details

With the current design of protocol, it is able for anyone to deploy pool with any token pair. And the name of them is computed as below:

function computeName(
    address token0,
    address token1,
    bool isToken0,
    uint24 fee,
    string memory prefix
) external view returns (string memory) {
    // get the underlying token symbols
    // it's not guaranteed that they support the metadata extension
    // so we need to let them fail and return placeholder if not
    string memory symbol0;
    string memory symbol1;
    try IERC20Metadata(token0).symbol() returns (string memory _symbol) {
        symbol0 = _symbol;
    } catch {
        symbol0 = "???";
    }
    try IERC20Metadata(token1).symbol() returns (string memory _symbol) {
        symbol1 = _symbol;
    } catch {
        symbol1 = "???";
    }
    unchecked {
        return
            string.concat(
                prefix,
                " ",
                isToken0 ? symbol0 : symbol1,
                " LP on ",
                symbol0,
                "/",
                symbol1,
                " ",
                Strings.toString(fee),
                "bps"
            );
    }
}

It can be seen that it only fetch name of 2 tokens. Which will open the scenario that attacker can trap user like below:

Create a Uniswap V3 pool with one of them is fake token that have special transferFrom() function and attacker is able to mint token for themselves Seed it with an incredibly low amount of liquidity and maintain this price to be same as actual price, which shouldn't be hard with a new, unused pool and low liquidity that do not make profit when doing swap Waiting anyone who make mint options with short call and drain liquidity in the uniswap v3 pool

As there is no mechanism to remove pool, user can trap anyone again and again.

Impact

Attacker can trap user by creating fake pool

Tools Used

Manual review

Recommended Mitigation Steps

Owner should be only one that can deploy pool.

Assessed type

Other

c4-judge commented 2 months ago

Picodes marked the issue as unsatisfactory: Invalid

Picodes commented 2 months ago

This scenario exists in Uniswap as well