search

sherlock-audit / 2023-04-splits-judging

4 stars 1 forks source link

J4de - `UniV3OracleImpl.sol#_getQuoteAmount` If `po.fee` is 0, there may be unexpected fees #33

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

J4de

medium

UniV3OracleImpl.sol#_getQuoteAmount If po.fee is 0, there may be unexpected fees

Summary

UniV3OracleImpl.sol#_getQuoteAmount If po.fee is 0, there may be unexpected fees

Vulnerability Detail

File: splits-oracle/src/UniV3OracleImpl.sol
149     function setDefaultFee(uint24 defaultFee_) external onlyOwner {
150         $defaultFee = defaultFee_;
151         emit SetDefaultFee(defaultFee_);
152     }

UniV3OracleImpl.sol's owner can call setDefaultFee function to set $defaultFee.

File: splits-oracle/src/UniV3OracleImpl.sol
248     function _getQuoteAmount(QuoteParams calldata quoteParams_) internal view returns (uint256) {
249         ConvertedQuotePair memory cqp = quoteParams_.quotePair._convert(_convertToken);
250         SortedConvertedQuotePair memory scqp = cqp._sort();
251
252         PairOverride memory po = _getPairOverride(scqp);
253         if (po.scaledOfferFactor == 0) {
254             po.scaledOfferFactor = $defaultScaledOfferFactor;
255         }
256
257         // skip oracle if converted tokens are equal
258         if (cqp.cBase == cqp.cQuote) {
259             return quoteParams_.baseAmount * po.scaledOfferFactor / PERCENTAGE_SCALE;
260         }
261
262 1>      if (po.fee == 0) {
263 1>          po.fee = $defaultFee;
264 1>      }
265         if (po.period == 0) {
266             po.period = $defaultPeriod;
267         }
268
269         address pool = uniswapV3Factory.getPool(scqp.cToken0, scqp.cToken1, po.fee);
270         if (pool == address(0)) {
271             revert Pool_DoesNotExist();
272         }

The _getQuoteAmount function will judge whether the fee of PairOverride is 0, if it is 0, take $defaultFee as po.fee. The problem now is that if for a certain PairOverride, the owner wants to set his fee to 0, but it will be set to $defaultFee unexpectedly by _getQuoteAmount.

Impact

It may lead to get an unexpected uniswapV3 pool, which will eventually affect the price

Code Snippet

https://github.com/0xSplits/splits-oracle/blob/f6628a116d8721289dad2c70d3e3aa14e4815d4e/src/UniV3OracleImpl.sol#L262-L264

Tool used

Manual Review

Recommendation

It is recommended to consider the case where the fee is 0