Incorrect amounts checking causes liquidity to be added to the wrong position.
Summary
The check for amounts in _checkAmounts is incorrect, causing the liquidity to be added to the "alt" position when it should be added to the "main" position.
Vulnerability Detail
In _addLiquidity, non zero liquidity and amounts are required to mint for "main" position, otherwise the "alt" position is minted.
Function: _addLiquidity
270:@> bool amountsOk = _checkAmounts(liquidity, mainLower, mainUpper);
271:
272: // Mint or add liquidity to the position.
273:@> if (liquidity > 0 && amountsOk) {
274:@> _mintPosition(mainLower, mainUpper, amount0, amount1, true);
275: }
Let's dive into _checkAmounts. It requires that neither amount0 nor amount1 is zero. But according to LiquidityAmounts.getAmountsForLiquidity, when the sqrtPrice is not within the price range between _tickLower and _tickUpper, the result amount0 or amount1 will be zero. Therefore, it is valid for amount0 or amount1 to be zero, and the checking in L410 should be if (amount0 == 0 && amount1 == 0) return false;.
ydlee
medium
Incorrect amounts checking causes liquidity to be added to the wrong position.
Summary
The check for amounts in
_checkAmounts
is incorrect, causing the liquidity to be added to the "alt" position when it should be added to the "main" position.Vulnerability Detail
In
_addLiquidity
, non zero liquidity and amounts are required to mint for "main" position, otherwise the "alt" position is minted.https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/main/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L270-L275
Let's dive into
_checkAmounts
. It requires that neitheramount0
noramount1
is zero. But according toLiquidityAmounts.getAmountsForLiquidity
, when thesqrtPrice
is not within the price range between_tickLower
and_tickUpper
, the resultamount0
oramount1
will be zero. Therefore, it is valid foramount0
oramount1
to be zero, and the checking in L410 should beif (amount0 == 0 && amount1 == 0) return false;
.https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/main/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L402-L412
https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/main/cowcentrated-contracts/contracts/utils/LiquidityAmounts.sol#L146-L179
Impact
If
amount0
oramount1
is zero, liquidity will be added to the "alt" position, but should be added to the "main" position.Code Snippet
https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/main/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L270-L275
https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/main/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L402-L412
https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/main/cowcentrated-contracts/contracts/utils/LiquidityAmounts.sol#L146-L179
Tool used
Manual Review
Recommendation
Change the amounts checking as follows: