search

code-423n4 / 2024-06-vultisig-validation

0 stars 0 forks source link

Miscalculate amount of liquidity and amount of token #686

Open c4-bot-7 opened 2 months ago

c4-bot-7 commented 2 months ago

Lines of code

https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/ILOManager.sol#L90 https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/ILOPool.sol#L395 https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/ILOPool.sol#L288

Vulnerability details

Impact

Because there is not constraint between _project.initialPoolPriceX96 and sqrtRatioUpperX96 when initialize ILO pool, so there will be case that satisfies sqrtRatioLowerX96 < sqrtRatioUpperX96 && sqrtRatioUpperX96 < _project.initialPoolPriceX96. In such a case, the pool requires only pool's token1 when providing liquidity, with amount calculated as here https://github.com/Uniswap/v3-core/blob/d8b1c635c275d2a9450bd6a78f3fa2484fef73eb/contracts/UniswapV3Pool.sol#L363-L368. In function ILOPool#launch(), liquidity is added to the position with range [TICK_LOWER, TICK_UPPER]. In case RAISE_TOKEN is pool token0, and sqrtRatioLowerX96 < sqrtRatioUpperX96 && sqrtRatioUpperX96 < _project.initialPoolPriceX96 satisfies, the amount of token1 to be added is calculated as https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/ILOPool.sol#L395. This calculation is unexpected in the case. So far, this issue will cause amounts to be used as liquidity miscalculated

Proof of Concept

https://github.com/Uniswap/v3-core/blob/d8b1c635c275d2a9450bd6a78f3fa2484fef73eb/contracts/UniswapV3Pool.sol#L363-L368

https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/ILOPool.sol#L395

Tools Used

Manual

Recommended Mitigation Steps

Constraint _project.initialPoolPriceX96 with sqrtRatioUpperX96

Assessed type

Uniswap