search

code-423n4 / 2024-06-vultisig-validation

2 stars 0 forks source link

Blocklist Token Disruption in Liquidity Management Contract Leads to Transaction Failures and Gas Losses #664

Open c4-bot-1 opened 4 months ago

c4-bot-1 commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/base/LiquidityManagement.sol#L20 https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/base/PeripheryPayments.sol#L21

Vulnerability details

Summary

The LiquidityManagement contract, which inherits from PeripheryPayments, is vulnerable to disruptions caused by token blocklists (e.g., USDT) during Uniswap V3 liquidity provision. This report outlines how blocklisted addresses can impede the contract's operation in the context of adding liquidity to Uniswap V3 pools.

Flow of Execution

  1. A user initiates the addition of liquidity through the LiquidityManagement contract.
  2. The addLiquidity function of LiquidityManagement calls pool.mint, intending to deposit tokens into a Uniswap V3 pool.
  3. The Uniswap V3 pool, in turn, calls the uniswapV3MintCallback function.
  4. Within the uniswapV3MintCallback, the pay function from PeripheryPayments is called to transfer tokens.
  5. Token transfers are attempted using the TransferHelper.safeTransfer or TransferHelper.safeTransferFrom methods.

Vulnerable Code

https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/base/LiquidityManagement.sol#L20

https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/base/PeripheryPayments.sol#L21

// File: LiquidityManagement.sol
function uniswapV3MintCallback(
    uint256 amount0Owed,
    uint256 amount1Owed,
    bytes calldata data
) external override {
    require(msg.sender == _cachedUniV3PoolAddress);
    if (amount0Owed > 0) pay(_cachedPoolKey.token0, address(this), msg.sender, amount0Owed);
    if (amount1Owed > 0) pay(_cachedPoolKey.token1, address(this), msg.sender, amount1Owed);
}
// File: PeripheryPayments.sol
function pay(
    address token,
    address payer,
    address recipient,
    uint256 value
) internal {
    TransferHelper.safeTransferFrom(token, payer, recipient, value);
}

Proof of Concept

  1. Transaction Reverts: When a blocklisted contract address attempts to execute safeTransferFrom, the transaction fails, reverting with an error if the token enforces blocklisting.
  2. Scenario Simulation: Deploying these contracts in a test environment and simulating the addition of liquidity using a blocklisted token results in transaction failures, as predicted by the contract's logic.

Impact

Users attempting to provide liquidity involving blocklisted tokens experience transaction failures, leading to loss of gas fees.

Recommended Mitigation Steps

Before initiating token transfers, implement a function to check the blocklist status of the involved addresses

Assessed type

ERC20