Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The removedLiquidity variable has a potential risk of underflow vulnerability #495

Closed
c4-bot-4 opened this issue Dec 11, 2023 · 6 comments
Closed

The removedLiquidity variable has a potential risk of underflow vulnerability #495

c4-bot-4 opened this issue Dec 11, 2023 · 6 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-516 partial-25 Incomplete articulation of vulnerability; eligible for partial credit only (25%)

Comments

@c4-bot-4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-11-panoptic/blob/aa86461c9d6e60ef75ed5a1fe36a748b952c8666/contracts/SemiFungiblePositionManager.sol#L979

Vulnerability details

Impact

In the _createLegInAMM function, the removedLiquidity variable may overflow. Once this happens, it can cause significant errors, resulting in a very large value for the removedLiquidity variable.

The variable removedLiquidity is referenced in the function _getPremiaDeltas to calculate the premium. A serious error in the variable 'removedLiquidity' will cause a significant error in the calculation of the user's premium.

Proof of Concept

The following is a partial code excerpt from the _createLegInAMM function:

        unchecked {
            // did we have liquidity already deployed in Uniswap for this chunk range from some past mint?

            // s_accountLiquidity is a LeftRight. The right slot represents the liquidity currently sold (added) in the AMM owned by the user
            // the left slot represents the amount of liquidity currently bought (removed) that has been removed from the AMM - the user owes it to a seller
            // the reason why it is called "removedLiquidity" is because long options are created by removing -ie.short selling LP positions
            uint128 startingLiquidity = currentLiquidity.rightSlot();
            uint128 removedLiquidity = currentLiquidity.leftSlot();
            uint128 chunkLiquidity = _liquidityChunk.liquidity();

            if (isLong == 0) {
                // selling/short: so move from msg.sender *to* uniswap
                // we're minting more liquidity in uniswap: so add the incoming liquidity chunk to the existing liquidity chunk
                updatedLiquidity = startingLiquidity + chunkLiquidity;

                /// @dev If the isLong flag is 0=short but the position was burnt, then this is closing a long position
                /// @dev so the amount of short liquidity should decrease.
                if (_isBurn) {
                    removedLiquidity -= chunkLiquidity;
                }
            }

Note the statement: removedLiquidity -= chunkLiquidity; is contained in the unchecked{} code block, which means solidity will not check for integer overflow. If chunkLiquidity is greater than removedLiquidity, then removedLiquidity will become a very large number due to integer underflow.

Tools Used

Manual audit

Recommended Mitigation Steps

Add a conditional judgment before the statement removedLiquidity -= chunkLiquidity;

if (_isBurn) {
+	if(chunkLiquidity > removedLiquidity) revert('overflow');
	removedLiquidity -= chunkLiquidity;
}

Assessed type

Under/Overflow
@c4-bot-4 c4-bot-4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Dec 11, 2023
c4-bot-3 added a commit that referenced this issue Dec 11, 2023
@c4-bot-3
Neon2835 issue #495
65d7bb5
@c4-judge
Copy link
Contributor

Picodes marked the issue as duplicate of #516

@Picodes
Copy link

Picodes commented Dec 13, 2023

No valid scenario is described

@c4-judge c4-judge added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value downgraded by judge Judge downgraded the risk level of this issue and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Dec 26, 2023
@c4-judge
Copy link
Contributor

Picodes changed the severity to 2 (Med Risk)

@c4-judge
Copy link
Contributor

Picodes marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Dec 26, 2023
@c4-judge
Copy link
Contributor

Picodes marked the issue as partial-50

@c4-judge c4-judge added partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) partial-25 Incomplete articulation of vulnerability; eligible for partial credit only (25%) and removed satisfactory satisfies C4 submission criteria; eligible for awards partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) labels Dec 26, 2023
@c4-judge
Copy link
Contributor

Picodes marked the issue as partial-25

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-516 partial-25 Incomplete articulation of vulnerability; eligible for partial credit only (25%)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Picodes @c4-judge @c4-bot-4