Panoptic - Banditx0x's results

Lines of code

https://github.com/code-423n4/2023-11-panoptic/blob/aa86461c9d6e60ef75ed5a1fe36a748b952c8666/contracts/SemiFungiblePositionManager.sol#L1050-L1059

Vulnerability details

Impact

When there is borrowed liquidity, but zero net liquidity for a positionKey, the premia for the borrowed position is not updated.

Proof of Concept

liquidity.rightSlot is the net liquidity (totalLiquidity - removedLiquidity). It is possible for this value to be 0 when there has been liquidity added and 100% of the liquidity has been removed/borrowed. In this case, liquidity.leftSlot() is positive, while liquidity.rightSlot() is 0.

Within the _createLegInAmm function, the _collectAndWritePositionData is skipped if right slot is 0, even if there is a value in the left slot:

        if (currentLiquidity.rightSlot() > 0) {
            _totalCollected = _collectAndWritePositionData(
                _liquidityChunk,
                _univ3pool,
                currentLiquidity,
                positionKey,
                _moved,
                isLong
            );
        }

This makes some sense as when there is no net liquidity, no fees are collected via the collect call to the Uniswap pool. However, _collectAndWritePositionData also contains the _updatePremiaDelta function call. This is NOT meant to be skipped when there is non-zero removedLiquidity in the liquidity chunk. The premiaOwed ends up not being tracked for the borrowed liquidity.

Tools Used

Manual Review

Recommended Mitigation Steps

Change:

if (currentLiquidity.rightSlot() > 0)

to:

if (currentLiquidity > 0)

Within the collectAndWritePositionData call, a condition could be added that the logic that collects the fees can is skipped when there is no net liquidity. However, the premia update should still execute if there is borrowed liquidity.

Assessed type

Invalid Validation