c4-judge
commented
2 months ago Picodes marked the issue as unsatisfactory: Invalid
Closed c4-bot-1 closed 2 months ago
c4-judge
commented
2 months ago Picodes marked the issue as unsatisfactory: Invalid
Picodes
commented
2 months ago Invalidating as there would be no impact aside from deploying a useless contract
Lines of code
https://github.com/code-423n4/2024-04-panoptic/blob/main/contracts/PanopticFactory.sol#L210-L227
Vulnerability details
Impact
The input parameters
token0,token1, andfeeare not validated in thedeployNewPoolfunction within thePanopticFactorycontract. This omission can potentially lead to unexpected behavior and effects when the contract interacts with the SemiFungiblePositionManager contract and the UniswapV3Factory contract.In particular, if the
token0,token1, andfeeparameters lead to av3Pooladdress that doesn't represent an existing and properly initialized Uniswap V3 pool, it could cause runtime errors or result in incorrect pool initialization.Proof of Concept
Tools Used
Manual review
Recommended Mitigation Steps
Before invoking the UniswapV3Factory's
getPoolfunction and initializing thev3Poolreference, assert thattoken0,token1, andfeeare valid. Consider defining and using a function that verifies token addresses and fee amounts per the business rules of your smart contract system. This will help ensure that all function inputs are sanitized, and it will prevent unexpected behavior in later execution. Note that sometimes, input validation is not possible if there's no way to predict all valid cases a priori (e.g., token address verification if any ERC20 token can be used). In such cases, ensure that other parts of the contract code are capable of properly handling any possible input.Assessed type
Invalid Validation