With the current design of protocol, it is able for anyone to deploy pool with any token pair. And the name of them is computed as below:
function computeName(
address token0,
address token1,
bool isToken0,
uint24 fee,
string memory prefix
) external view returns (string memory) {
// get the underlying token symbols
// it's not guaranteed that they support the metadata extension
// so we need to let them fail and return placeholder if not
string memory symbol0;
string memory symbol1;
try IERC20Metadata(token0).symbol() returns (string memory _symbol) {
symbol0 = _symbol;
} catch {
symbol0 = "???";
}
try IERC20Metadata(token1).symbol() returns (string memory _symbol) {
symbol1 = _symbol;
} catch {
symbol1 = "???";
}
unchecked {
return
string.concat(
prefix,
" ",
isToken0 ? symbol0 : symbol1,
" LP on ",
symbol0,
"/",
symbol1,
" ",
Strings.toString(fee),
"bps"
);
}
}
It can be seen that it only fetch name of 2 tokens. Which will open the scenario that attacker can trap user like below:
Create a Uniswap V3 pool with one of them is fake token that have special transferFrom() function and attacker is able to mint token for themselves
Seed it with an incredibly low amount of liquidity and maintain this price to be same as actual price, which shouldn't be hard with a new, unused pool and low liquidity that do not make profit when doing swap
Waiting anyone who make mint options with short call and drain liquidity in the uniswap v3 pool
As there is no mechanism to remove pool, user can trap anyone again and again.
Lines of code
https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/libraries/InteractionHelper.sol#L48-#L85
Vulnerability details
Vulnerability details
With the current design of protocol, it is able for anyone to deploy pool with any token pair. And the name of them is computed as below:
It can be seen that it only fetch name of 2 tokens. Which will open the scenario that attacker can trap user like below:
Create a Uniswap V3 pool with one of them is fake token that have special
transferFrom()
function and attacker is able to mint token for themselves Seed it with an incredibly low amount of liquidity and maintain this price to be same as actual price, which shouldn't be hard with a new, unused pool and low liquidity that do not make profit when doing swap Waiting anyone who make mint options with short call and drain liquidity in the uniswap v3 poolAs there is no mechanism to remove pool, user can trap anyone again and again.
Impact
Attacker can trap user by creating fake pool
Tools Used
Manual review
Recommended Mitigation Steps
Owner should be only one that can deploy pool.
Assessed type
Other