Because there is not constraint between _project.initialPoolPriceX96 and sqrtRatioUpperX96 when initialize ILO pool, so there will be case that satisfies sqrtRatioLowerX96 < sqrtRatioUpperX96 && sqrtRatioUpperX96 < _project.initialPoolPriceX96. In such a case, the pool requires only pool's token1 when providing liquidity, with amount calculated as here https://github.com/Uniswap/v3-core/blob/d8b1c635c275d2a9450bd6a78f3fa2484fef73eb/contracts/UniswapV3Pool.sol#L363-L368.
In function ILOPool#launch(), liquidity is added to the position with range [TICK_LOWER, TICK_UPPER]. In case RAISE_TOKEN is pool token0, and sqrtRatioLowerX96 < sqrtRatioUpperX96 && sqrtRatioUpperX96 < _project.initialPoolPriceX96 satisfies, the amount of token1 to be added is calculated as https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/ILOPool.sol#L395. This calculation is unexpected in the case.
So far, this issue will cause amounts to be used as liquidity miscalculated
Lines of code
https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/ILOManager.sol#L90 https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/ILOPool.sol#L395 https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/ILOPool.sol#L288
Vulnerability details
Impact
Because there is not constraint between
_project.initialPoolPriceX96
andsqrtRatioUpperX96
when initialize ILO pool, so there will be case that satisfiessqrtRatioLowerX96 < sqrtRatioUpperX96 && sqrtRatioUpperX96 < _project.initialPoolPriceX96
. In such a case, the pool requires onlypool's token1
when providing liquidity, with amount calculated as here https://github.com/Uniswap/v3-core/blob/d8b1c635c275d2a9450bd6a78f3fa2484fef73eb/contracts/UniswapV3Pool.sol#L363-L368. In functionILOPool#launch()
, liquidity is added to the position with range[TICK_LOWER, TICK_UPPER]
. In caseRAISE_TOKEN
is pool token0, andsqrtRatioLowerX96 < sqrtRatioUpperX96 && sqrtRatioUpperX96 < _project.initialPoolPriceX96
satisfies, the amount of token1 to be added is calculated as https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/ILOPool.sol#L395. This calculation is unexpected in the case. So far, this issue will cause amounts to be used as liquidity miscalculatedProof of Concept
https://github.com/Uniswap/v3-core/blob/d8b1c635c275d2a9450bd6a78f3fa2484fef73eb/contracts/UniswapV3Pool.sol#L363-L368
https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/ILOPool.sol#L395
Tools Used
Manual
Recommended Mitigation Steps
Constraint
_project.initialPoolPriceX96
withsqrtRatioUpperX96
Assessed type
Uniswap