Incorrect parameters passed to UniV3 may cause funds stuck in the contract
Summary
Note: this issue happened on the deployed version of GoodEntry and was discovered when using https://alpha.goodentry.io/
Due to incorrect parameters and validation when working with UniV3 LP the vault may enter a state where rebalancing reverts. This means any deposits and withdrawals from the vault become unavailable.
Vulnerability Detail
Note: this issue happened on the deployed version of GoodEntry and was discovered when using https://alpha.goodentry.io/
Due to incorrect parameters and validation when working with UniV3 LP the vault may enter a state where rebalancing reverts. This means any deposits and withdrawals from the vault become unavailable.
Impact
lack of slippage protection can lead to a significant loss of user funds. A call to Uniswap V3 is made. Calls amount0Min and amount1Min are each set to 0, which allows for a 100% slippage tolerance. This means, that the action could lead to the caller losing up to 100% of their tokens due to slippage.
kgothatso
high
Incorrect parameters passed to UniV3 may cause funds stuck in the contract
Summary
Note: this issue happened on the deployed version of GoodEntry and was discovered when using https://alpha.goodentry.io/
Due to incorrect parameters and validation when working with UniV3 LP the vault may enter a state where rebalancing reverts. This means any deposits and withdrawals from the vault become unavailable.
Vulnerability Detail
Note: this issue happened on the deployed version of GoodEntry and was discovered when using https://alpha.goodentry.io/
Due to incorrect parameters and validation when working with UniV3 LP the vault may enter a state where rebalancing reverts. This means any deposits and withdrawals from the vault become unavailable.
Impact
lack of slippage protection can lead to a significant loss of user funds. A call to Uniswap V3 is made. Calls amount0Min and amount1Min are each set to 0, which allows for a 100% slippage tolerance. This means, that the action could lead to the caller losing up to 100% of their tokens due to slippage.
Code Snippet
https://github.com/sherlock-audit/2024-02-leverage-contracts/blob/main/wagmi-leverage/contracts/abstract/LiquidityManager.sol#L353
Tool used
Manual Review
Recommendation
For each vulnerable function, allow the caller to specify values for
amount0Minandamount1Mininstead of setting them to 0.Duplicate of #12