Error due to divison could make CollateralTracker.sol:s_ITMSpreadFee equal to zero
#266
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-469
satisfactory
satisfies C4 submission criteria; eligible for awards
Comments
c4-bot-1
added
2 (Med Risk)
|
Picodes marked the issue as duplicate of #469 |
c4-judge
added
duplicate-469
satisfactory
|
Picodes marked the issue as satisfactory |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2024-04-panoptic/blob/main/contracts/CollateralTracker.sol#L121
https://github.com/code-423n4/2024-04-panoptic/blob/main/contracts/CollateralTracker.sol#L249
https://github.com/code-423n4/2024-04-panoptic/blob/main/contracts/CollateralTracker.sol#L262
https://github.com/code-423n4/2024-04-panoptic/blob/main/contracts/CollateralTracker.sol#L1110
Vulnerability details
Vulnerability Details
Currently uniswap has 4 fee tier
The 0.01% fee tier is currently the lowest fee tier on uniswap, it was added through a governance vote in Nov 2021. In summary Uniswap fees can go below 100 and when this happens the
CollateralTracker.sol:s_ITMSpreadFeewill become zero for that pool.function startToken( bool underlyingIsToken0, address token0, address token1, uint24 fee, PanopticPool panopticPool ) external { ... uint24 _poolFee; //@audit pool fee can be accidentally set to zero unchecked { @-> _poolFee = fee / 100; } s_poolFee = _poolFee; // Stores the addresses of the underlying tracked tokens. s_univ3token0 = token0; s_univ3token1 = token1; // store whether the current collateral token is token0 (true) or token1 (false; since there's always exactly two tokens it could be) s_underlyingIsToken0 = underlyingIsToken0; // Additional risk premium charged on intrinsic value of ITM positions unchecked { @-> s_ITMSpreadFee = uint128((ITM_SPREAD_MULTIPLIER * _poolFee) / DECIMALS); } }_poolFeewill evaluate to zero iffeeis less than 100, sinces_ITMSpreadFeeis calculated based on_poolFeeit will evaluate to zero too.s_ITMSpreadFee = uint128((ITM_SPREAD_MULTIPLIER * _poolFee) / DECIMALS);Impact
Swap commission will not be paid for affected pools
Proof of Concept
Deploying a pool with fee tier less than
100i.e0.01%.When the
PanopticFactory.sol:deployNewPoolis called with afeeof let say 50,it calls the
collateralTracker0.startToken(true, token0, token1, fee, newPoolContract)with thefeeamount. This is where the division happens and theCollateralTracker.sol:s_ITMSpreadFeeget stored as zeroTool Used
Manual Analysis
Recommendation
Donot divide the fee by 100, use the direct value instead.
Assessed type
Error
The text was updated successfully, but these errors were encountered: