DOS would happen in some instances of minting or burning an ITM option #415
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-435
grade-a
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
🤖_415_group
AI based duplicate group recommendation
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Comments
c4-bot-6
added
2 (Med Risk)
|
Picodes marked the issue as primary issue |
c4-judge
added
the
primary issue
dyedm1
added
the
sponsor disputed
|
dup #435 ? |
c4-judge
added
duplicate-435
and removed
primary issue
|
Picodes marked the issue as duplicate of #435 |
|
Picodes changed the severity to QA (Quality Assurance) |
c4-judge
added
downgraded by judge
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/SemiFungiblePositionManager.sol#L435-L458
https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/README.md#L256-L257
Vulnerability details
Proof of Concept
First would be key to note that from the contest's readMe, protocol has stated that tokens that revert on zero value transfers are in scope, i.e https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/README.md#L256-L257
Now take a look at https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/SemiFungiblePositionManager.sol#L435-L458
We can see that this is the function that is used and called by the pool during an ITM option mint/burn, however from this line in Uniswap's native implementation we can see that if no swaps were to occur and this function gets called, then both
amount0Deltaandamount1Deltawill be 0, due to this checkuint256 amountToPay = amount0Delta > 0 ? uint256(amount0Delta) : uint256(amount1Delta);theamount1Deltaends being attempted to be sent which itself is0now since not all instances of mints/burns would include swaps, this would occur, and considering the first paragraph in this report proving that protocol supports tokens that revert on zero token transfers, then this attempt of minting and burning is effectively DOS'd.
Impact
DOS to attempts of minting/burning options, cause if
amount0Deltaandamount1Deltais0the query by Uniswap touniswapV3SwapCallback()function would fail.Recommended Mitigation Steps
Consider checking both
amount0Deltaandamount1Deltabefore attempting to transfer, after checkingif amount0Delta > 0don't just blindly sendamount1Deltaif it can be0, consider applying changing https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/SemiFungiblePositionManager.sol#L435-L458function uniswapV3SwapCallback( int256 amount0Delta, int256 amount1Delta, bytes calldata data ) external { CallbackLib.CallbackData memory decoded = abi.decode(data, (CallbackLib.CallbackData)); CallbackLib.validateCallback(msg.sender, FACTORY, decoded.poolFeatures); - address token = amount0Delta > 0 - ? address(decoded.poolFeatures.token0) - : address(decoded.poolFeatures.token1); + address token; + uint256 amountToPay; - uint256 amountToPay = amount0Delta > 0 ? uint256(amount0Delta) : uint256(amount1Delta); + if (amount0Delta > 0) { + token = address(decoded.poolFeatures.token0); + amountToPay = uint256(amount0Delta); + } else if (amount1Delta > 0) { + token = address(decoded.poolFeatures.token1); + amountToPay = uint256(amount1Delta); + } else { + return; // If both deltas are zero , no transfer needed since no swap was done + } SafeTransferLib.safeTransferFrom(token, decoded.payer, msg.sender, amountToPay); }Alternatively, consider outrightly documenting that these tokens are not supported.
Assessed type
DoS
The text was updated successfully, but these errors were encountered: