Open howlbot-integration[bot] opened 1 month ago
alex-ppg marked the issue as not a duplicate
alex-ppg marked the issue as primary issue
The submission and its duplicate properly identify that the position.rs
file fails to permit underflows to occur when calculating fees which might result in inaccessible funds. I have personally observed this vulnerability in production, and I am inclined to agree with a high-risk severity rating as positions resulting in the underflow would effectively become permanently inaccessible.
To note, this submission and submission #46 are distinct due to being located in different files.
alex-ppg marked the issue as selected for report
alex-ppg marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2024-08-superposition/blob/4528c9d2dbe1550d2660dac903a8246076044905/pkg/seawater/src/position.rs#L52-L66
Vulnerability details
Impact
The math used to calculate how many fees are owed to the user does not allow underflows, but this is a necessary due to how the Uniswap logic works as fees can be negative. This impact adding/removing funds to a position, resulting in permanently locked funds due to a revert.
Context
Similar to
Position's fee growth can revert resulting in funds permanently locked
but with a different function/root cause, both issues must be fixed separately.Proof of Concept
In
position.update
underflows are not allowed:https://github.com/code-423n4/2024-08-superposition/blob/4528c9d2dbe1550d2660dac903a8246076044905/pkg/seawater/src/position.rs#L52-L66
While the original Uniswap version allows underflows:
https://github.com/Uniswap/v3-core/blob/d8b1c635c275d2a9450bd6a78f3fa2484fef73eb/contracts/libraries/Position.sol#L61-L76
The issue is that negative fees are expected due to how the formula works. It is explained in detail in this Uniswap's issue: https://github.com/Uniswap/v3-core/issues/573
This function is used every time a position is updated, so it will be impossible to remove funds from it when the underflow happens because it will revert, resulting in locked funds.
Tools Used
Manual Review
Recommended Mitigation Steps
Consider using
-
to let Rust underflow without errors in release mode:Alternatively, consider using
wrapping_sub
.Assessed type
Uniswap