Revert Lend - 0xk3y's results

Lines of code

https://github.com/code-423n4/2024-03-revert-lend/blob/main/src/transformers/AutoCompound.sol#L163

Vulnerability details

Impact

Actions in the Uniswap NonfungiblePositionManager contract are protected by a deadline parameter to limit the execution of pending transactions. Functions that modify the liquidity of the pool check this parameter against the current block timestamp in order to discard expired actions.

User provided deadline arguments are utilized in transformers AutoRange.sol and LeverageTransformer.sol while interacting with the Uniswap NFT Position Manager. However, the execute() function in AutoCompound.sol uses block.timestamp as the deadline argument, which defeats the purpose of using a deadline. Using block.timestamp as the deadline is effectively a no-operation that has no effect nor protection. Since block.timestamp will take the timestamp value when the transaction gets mined, the check will end up comparing block.timestamp against itself.

Failure to provide a proper deadline value enables pending transactions to be maliciously executed at a later point in detriment of the submitter.

AutoCompound.sol #L161-165 :

(, state.compounded0, state.compounded1) = nonfungiblePositionManager.increaseLiquidity(
                    INonfungiblePositionManager.IncreaseLiquidityParams(
                        params.tokenId, state.maxAddAmount0, state.maxAddAmount1, 0, 0, block.timestamp
                    )
                );

Tools Used

Manual Review

Recommended Mitigation Steps

Add a deadline parameter to the ExecuteParams struct and forward it to the corresponding underlying call to the Uniswap NonfungiblePositionManager contract.

Assessed type

Uniswap