Platform: Code4rena
Start Date: 27/11/2023
Pot Size: $60,500 USDC
Total HM: 7
Participants: 72
Period: 7 days
Judge: Picodes
Total Solo HM: 2
Id: 309
League: ETH
Rank: 59/72
Findings: 1
Award: $11.32
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: osmanozdemir1
Also found by: 0xCiphky, Audinarey, Banditx0x, CRYP70, Cryptor, D1r3Wolf, KupiaSec, LokiThe5th, Sathish9098, Skylice, ThenPuli, Topmark, Udsen, ZanyBonzy, baice, ether_sky, fatherOfBlocks, foxb868, grearlake, hihen, hubble, hunter_w3b, lanrebayode77, leegh, lsaudit, minhtrng, nocoder, onchain-guardians, ptsanev, ro1sharkm, seaton0x1, sivanesh_808, t4sk, tapir, tpiliposian, ustas
11.3163 USDC - $11.32
s_accountFeesBaseThe dev description for s_accountFeesBase is wrongly described as:
/// @dev mapping that stores a LeftRight packing of feesBase of keccak256(abi.encodePacked(address poolAddress, address owner, int24 tickLower, int24 tickUpper))
missing out the token type
change comment to:
/// @dev mapping that stores a LeftRight packing of feesBase of keccak256(abi.encodePacked(address poolAddress, address owner, uint256 tokenType, int24 tickLower, int24 tickUpper))
univ3pool is cached after flipping is isLong bitsWhen burnTokenizedPosition(...) is called, the isBurn flag is set to true and the isLong bit for each leg of the tokenId is flipped thereby changing the tokenId.
function _validateAndForwardToAMM( uint256 tokenId, uint128 positionSize, // liquidity int24 tickLimitLow, int24 tickLimitHigh, bool isBurn ) internal returns (int256 totalCollectedFromAMM, int256 totalMoved, int24 newTick) { // Reverts if positionSize is 0 and user did not own the position before minting/burning if (positionSize == 0) revert Errors.OptionsBalanceZero(); /// @dev the flipToBurnToken() function flips the isLong bits for burn it makes short long and longs short if (isBurn) { tokenId = tokenId.flipToBurnToken(); } // Validate tokenId // Extract univ3pool from the poolId map to Uniswap Pool IUniswapV3Pool univ3pool = s_poolContext[tokenId.validate()].pool; // Revert if the pool not been previously initialized if (univ3pool == IUniswapV3Pool(address(0))) revert Errors.UniswapPoolNotInitialized(); ... }
Although the tokenId is a 256 bit word with different variables encoded into it, and it does not neccesarily affect the pool address
consider caching the univ3pool before flipping the isLong bits
_getPremiaDeltas(...)The return description for deltaPremiumOwed are deltaPremiumGross are wrongly described as:
/// @return deltaPremiumOwed The extra premium (per liquidity X64) to be added to the owed accumulator for token0 (right) and token1 (right)
/// @return deltaPremiumGross The extra premium (per liquidity X64) to be added to the gross accumulator for token0 (right) and token1 (right)
change comment to:
/// @return deltaPremiumOwed The extra premium (per liquidity X64) to be added to the owed accumulator for token0 (right) and token1 (left)
/// @return deltaPremiumGross The extra premium (per liquidity X64) to be added to the gross accumulator for token0 (right) and token1 (left)
#0 - c4-judge
2023-12-14T16:50:23Z
Picodes marked the issue as grade-b