In _placePerpOrder(), it uses the uniswap pool inside the perp protocol and uses a spotSwapper for the second swap which is for the uniswap as well.
But as we can see here, Uniswap V3 introduces multiple pools for each token pair and 2 pools might be different and I think it's not good to use the same sqrtPriceLimitX96 for different pools.
Also, I think it's not mandatory to check a sqrtPriceLimitX96 as it checks amountOutMinimum already. (It checks amountOutMinimum only in _openLong() and _openShort().)
Impact
PerpDepository._rebalanceNegativePnlWithSwap() might revert when it should work as it uses the same sqrtPriceLimitX96 for different pools.
hansfriese
medium
PerpDepository._rebalanceNegativePnlWithSwap()
shouldn't use asqrtPriceLimitX96
twice.Summary
PerpDepository._rebalanceNegativePnlWithSwap()
shouldn't use asqrtPriceLimitX96
twice.Vulnerability Detail
Currently,
_rebalanceNegativePnlWithSwap()
uses asqrtPriceLimitX96
param twice for placing a perp order and swapping.In
_placePerpOrder()
, it uses the uniswap pool inside the perp protocol and uses aspotSwapper
for the second swap which is for the uniswap as well.But as we can see here, Uniswap V3 introduces multiple pools for each token pair and 2 pools might be different and I think it's not good to use the same
sqrtPriceLimitX96
for different pools.Also, I think it's not mandatory to check a
sqrtPriceLimitX96
as it checksamountOutMinimum
already. (It checksamountOutMinimum
only in_openLong()
and_openShort()
.)Impact
PerpDepository._rebalanceNegativePnlWithSwap()
might revert when it should work as it uses the samesqrtPriceLimitX96
for different pools.Code Snippet
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/integrations/perp/PerpDepository.sol#L478
Tool used
Manual Review
Recommendation
I think we can use the
sqrtPriceLimitX96
param for one pool only and it would be enough as there is anamountOutMinimum
condition.