AlgebraFactory.createPool function is meant to create a pool for a given two token vombinations by the
POOLS_CREATOR_ROLE role (or anyone if isPublicPoolCreationMode is set to true), it first checks if the token pair doesn't have a previously created pool, then it deploys a pool via IAlgebraPoolDeployer(poolDeployer).deploy(), where:
so the salt is calculated based on the encoded token0,token1 addresses, and once these token pair has been added to poolByPair; they can't be overwritten:
But the pool is not initialized when created; leaving the door open for any malicious actor to initialize the pool with any initial price,hence preventing it from being re-initialized again with the correct price:
//@notice: AlgebraPool.initialize function:
function initialize(uint160 initialPrice) external override {
int24 tick = TickMath.getTickAtSqrtRatio(initialPrice); // getTickAtSqrtRatio checks validity of initialPrice inside
if (globalState.price != 0) revert alreadyInitialized(); // after initialization, the price can never become zero
globalState.price = initialPrice;
function initialize(uint160 initialPrice) external override {
int24 tick = TickMath.getTickAtSqrtRatio(initialPrice); // getTickAtSqrtRatio checks validity of initialPrice inside
if (globalState.price != 0) revert alreadyInitialized(); // after initialization, the price can never become zero
Tool used
Manual Review
Recommendation
Update AlgebraFactory.createPool function to initialize the deployed pool:
Github username: -- Twitter username: -- Submission hash (on-chain): 0xd761239566dffec6bfa8f4f57e6b91bf17d2395cf40d05fbda57ae4f37d3fe2f Severity: medium
Description:
Description
AlgebraFactory.createPool
function is meant to create a pool for a given two token vombinations by thePOOLS_CREATOR_ROLE
role (or anyone ifisPublicPoolCreationMode
is set totrue
), it first checks if the token pair doesn't have a previously created pool, then it deploys a pool viaIAlgebraPoolDeployer(poolDeployer).deploy()
, where:so the salt is calculated based on the encoded
token0,token1
addresses, and once these token pair has been added topoolByPair
; they can't be overwritten:Code Snippet
AlgebraFactory.createPool function
AlgebraFactory.initialize function
Tool used
Manual Review
Recommendation
Update
AlgebraFactory.createPool
function to initialize the deployed pool: