When operations need to calculate the Superposition position's fee growth, it uses a similar function implemented by uniswap v3.
However, according to this known issue : Uniswap/v3-core#573. The contract implicitly relies on underflow/overflow when calculating the fee growth, if underflow is prevented, some operations that depend on fee growth will revert.
Proof of Concept
It can be observed that the current implementation of tick::get_fee_growth_inside does not allow underflow/overflow to happen when calculating fee_growth_inside_0 and fee_growth_inside_1 because the contract used checked math with additional overflow/underflow checks, which will Performs subtraction that returns None instead of wrapping around on underflow:
tick.rs
In case either one of the calculation underflows we will receive Error::FeeGrowthSubTick instead of being wrapped and continue working.
Uniswap allows such underflows to happen because PositionLibrary works with Solidity version < 0.8. Otherwise, this will impact crucial operations that rely on this call, such as liquidation, and will revert unexpectedly. This behavior is quite often, especially for pools that use lower fees.
Lines of code
https://github.com/code-423n4/2024-08-superposition/blob/4528c9d2dbe1550d2660dac903a8246076044905/pkg/seawater/src/tick.rs#L125-L246
Vulnerability details
Impact
When operations need to calculate the
Superposition
position's fee growth, it uses a similar function implemented by uniswap v3.However, according to this known issue : Uniswap/v3-core#573. The contract implicitly relies on underflow/overflow when calculating the fee growth, if underflow is prevented, some operations that depend on fee growth will revert.
Proof of Concept
It can be observed that the current implementation of
tick::get_fee_growth_inside
does not allow underflow/overflow to happen when calculatingfee_growth_inside_0
andfee_growth_inside_1
because the contract used checked math with additional overflow/underflow checks, which willPerforms subtraction that returns None instead of wrapping around on underflow
: tick.rsEspecially the last lines where we have:
fee_growth_global_0 - fee_growth_below_0 - fee_growth_above_0
and
fee_growth_global_1 - fee_growth_below_1 - fee_growth_above_1
In case either one of the calculation underflows we will receive
Error::FeeGrowthSubTick
instead of being wrapped and continue working.Uniswap allows such underflows to happen because
PositionLibrary
works with Solidity version < 0.8. Otherwise, this will impact crucial operations that rely on this call, such as liquidation, and will revert unexpectedly. This behavior is quite often, especially for pools that use lower fees.Tools Used
Manual Review & H-04 from Particle Leverage AMM - https://code4rena.com/reports/2023-12-particle#h-04-underflow-could-happened-when-calculating-uniswap-v3-positions-fee-growth-and-can-cause-operations-to-revert
Recommended Mitigation Steps
Use
unsafe
/unchecked
math when calculating the fee growths.Assessed type
Under/Overflow