Open c4-bot-3 opened 4 months ago
kalinbas marked the issue as disagree with severity
kalinbas (sponsor) confirmed
There is no medium risk here in my opinion. But yes it is a good finding.
Hi @kalinbas , thank you for your response. In my opinion this does qualify as medium risk because it forces the users to decrease their liquidity in order to collect their fees. So I think in this issue on of the main features of the protocol (that is allowing collecting fees alone, or allowing to use only fees for leverageDown) is affected. Can you check?
Yeah i agree, it is a main feature. But with V3Utils you can collect fees only when liquidity == 0. So it is actually possible to collect fees only. I keep my opinion this should not be a medium risk.
WITHDRAW_AND_COLLECT_AND_SWAP doesnt force them to swap
Hi @kalinbas , You're totally right, I'm sorry I'm mistaken, WITHDRAW_AND_COLLECT_AND_SWAP doesnt force them to swap
Now the only problem is leverageDown
forces user to decrease liquidity but I understand if you keep your opinion.
Thank you for your comment.
I am more inclined to maintain the M. Although this issue does not cause any value leakage, the standalone fee collection is a key function, which meets the criteria for key functionality errors.
jhsagd76 marked the issue as satisfactory
jhsagd76 marked the issue as selected for report
Lines of code
https://github.com/revert-finance/lend/blob/audit/src/V3Vault.sol#L654-L658
Vulnerability details
Impact
leverageDown
with fee alone.Proof of concept
One of the most important features of Revert Lend is that it allows user to take loans using UniswapV3 positions as collateral while at the same time able to manage their positions; this includes collecting fees, decrease liquidity, increase liquidity,... as documented here
However, the current implementation will not allow user to just collect fees.
V3Vault
contains a function calleddecreaseLiquidityAndCollect
:However as you can see in the above code, the function will call
decreaseLiquidity
without checking ifliquidity
to be removed >0; ifliquidity = 0
, thendecreaseLiquidity
will revert. Below is the UniswapV3 NonfungibleTokenManager code for this situation https://github.com/Uniswap/v3-periphery/blob/main/contracts/NonfungiblePositionManager.sol#L265:Using
V3Utils
transformation will not allow users to just collect fees either. The functionV3Utils.execute
does check ifliquidity >0
and collect fees:However, after this
V3Utils
only supports 3 modes and each of these forces users to do something else beside collecting fees:CHANGE_RANGE
mode forces users to mint a new UniswapV3 positionWITHDRAW_AND_COLLECT_AND_SWAP
forces users to swap tokensCOMPOUND_FEES
forces users to use all collected fee to increase liquidityIn summary,
V3Vault
andV3Utils
won't let users collect their positions fees alone - an important feature in Revert Lend system.One more part this is not checked is in function
LeverageTransformer.leverageDown
:If a user pass in
LeverageDownParams.liquidity = 0
, that means they just want to use UniswapV3 collect fees to repay their debt inV3Vault
, yet in this situation they are forced to decrease their position.Below is a POC for this issue, save this test case to file
V3Oracle.t.my.sol
and run it using command:forge test --match-path test/integration/V3Vault.t.sol --match-test testCannotCollect -vvvv
Tool used
Manual Review
Recommended mitigation
In function
V3Vault.decreaseLiquidityAndCollect
, the code should check ifliquidity > 0
, if not,decreaseLiquidity
should not be called. This allow the user to collect fees.Assessed type
Invalid Validation