Platform: Code4rena
Start Date: 03/07/2023
Pot Size: $40,000 USDC
Total HM: 14
Participants: 74
Period: 7 days
Judge: alcueca
Total Solo HM: 9
Id: 259
League: ETH
Rank: 10/74
Findings: 2
Award: $762.57
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: qpzm
Also found by: CRIMSON-RAT-REACH
745.0513 USDC - $745.05
The removeLiquidityImbalanced function in the Well.sol contract is vulnerable to a potential underflow. This could disrupt the contract's functionality and prevent users from removing liquidity in an imbalanced manner. Furthermore, the function does not appropriately handle cases where reserves can be greater than minted liquidity due to external factors like donations. This could lead to unnecessary reverts of legitimate removeLiquidity transactions.
The issue is located in the removeLiquidityImbalanced function of the Well.sol contract, specifically at this line: Well.sol#L562.
The potential underflow occurs in the following line of code:
lpAmountIn = totalSupply() - _calcLpTokenSupply(wellFunction(), reserves);
In addition, the function doesn't handle the scenario where reserves can be greater than minted liquidity due to external factors like donations. This could lead to unnecessary reverts of legitimate removeLiquidity transactions.
The code review and analysis were performed manually, without the use of any specific security tools.
To mitigate this issue, it is recommended to add a check to ensure totalSupply() is not less than the return value of _calcLpTokenSupply. If it is, lpTokenSupply should be set to totalSupply(). This change would make the function call complete successfully even when reserves can be greater than minted liquidity due to donations. Here is an example of how this could be implemented:
uint256 lpTokenSupply = _calcLpTokenSupply(wellFunction(), reserves); if (totalSupply() < lpTokenSupply) { lpTokenSupply = totalSupply(); } lpAmountIn = totalSupply() - lpTokenSupply;
This change will prevent the underflow from happening and also account for the scenario where reserves are greater than the total supply of liquidity tokens. This allows the function to handle donations and similar scenarios without reverting legitimate removeLiquidity transactions.
Math
#0 - c4-pre-sort
2023-07-11T15:43:40Z
141345 marked the issue as low quality report
#1 - 141345
2023-07-12T16:28:29Z
donation could break the LP totalSupply(), causing underflow and revert
recommendation might not be right
#2 - c4-pre-sort
2023-07-12T16:32:11Z
141345 marked the issue as primary issue
#3 - c4-pre-sort
2023-07-12T16:32:17Z
141345 marked the issue as high quality report
#4 - publiuss
2023-07-21T15:21:44Z
A donation would not break this function as the Well implementation uses the reserve balances stored in the contract state, not the return value of balanceOf.
It is hard to verify that an underflow is possible without a proper POC. I was unable to replicate this underflow issue with fuzz testing in Foundry. This issue should be considered invalid unless the reporter provides a valid POC of reserve balances that cause the invariant to break.
#5 - c4-sponsor
2023-07-21T15:23:26Z
publiuss marked the issue as sponsor disputed
#6 - itsmetechjay
2023-07-21T18:17:03Z
I have reached out to the warden team, per sponsor's request, to get a POC for this finding.
#7 - qpzm
2023-07-22T01:59:32Z
I suggested a POC in #191 .
#8 - itsmetechjay
2023-07-23T00:07:18Z
With the short notice, the warden team was not able to provide a code POC. They did state the following:
Here are the steps we thought about in order to reproduce the issue. Suppose a Constant product 2 pool and Well as provided Steps: Donate X token0 to the pool call sync() Try to withdraw imbalanced X-1 token0 from the pool
#9 - c4-sponsor
2023-07-31T22:38:12Z
publiuss marked the issue as sponsor confirmed
#10 - publiuss
2023-07-31T22:39:03Z
191 .
This report provides a valid POC of how a sync() function call could block a removeTokenImbalanced(...) function call. Changing to confirm.
#11 - c4-judge
2023-08-04T19:53:54Z
alcueca marked the issue as satisfactory
#12 - c4-judge
2023-08-05T21:17:05Z
alcueca marked the issue as duplicate of #191
#13 - alcueca
2023-08-05T21:18:17Z
#191 and this issue were submitted by the same warden, so this one must be nullified
#14 - c4-judge
2023-08-05T21:18:22Z
alcueca marked the issue as nullified
#15 - c4-judge
2023-08-05T21:41:07Z
alcueca changed the severity to 3 (High Risk)
#16 - c4-judge
2023-08-15T20:59:31Z
alcueca marked the issue as not nullified
#17 - c4-judge
2023-08-15T21:02:00Z
alcueca marked the issue as partial-50
#18 - c4-judge
2023-08-15T21:02:07Z
alcueca marked the issue as satisfactory
#19 - alcueca
2023-08-15T21:03:50Z
Marked as not nullified after the warden's comments on team composition. 50% credit due to the difference in report quality to #191.
#20 - c4-judge
2023-08-22T13:19:09Z
alcueca changed the severity to 2 (Med Risk)
🌟 Selected for report: 0xprinc
Also found by: 0x11singh99, 0xAnah, 0xWaitress, 0xkazim, 2997ms, 33audits, 404Notfound, 8olidity, CRIMSON-RAT-REACH, CyberPunks, DanielWang888, Deekshith99, Eeyore, Eurovickk, Inspecktor, JGcarv, John, Jorgect, Kaysoft, LosPollosHermanos, MohammedRizwan, Qeew, QiuhaoLi, Rolezn, TheSavageTeddy, Topmark, Trust, Udsen, a3yip6, alexzoid, bigtone, codegpt, erebus, fatherOfBlocks, ginlee, glcanvas, hunter_w3b, josephdara, kaveyjoe, kutugu, mahdirostami, max10afternoon, oakcobalt, peanuts, pfapostol, ptsanev, qpzm, radev_sw, ravikiranweb3, sces60107, seth_lawson, te_aut, twcctop, zhaojie, ziyou-
17.5208 USDC - $17.52
The contract has several events that are not marked as indexed. This can result in inefficient event filtering and querying, as well as potential limitations in functionality for applications built on top of this contract.
Without indexing, event filtering becomes resource-intensive, hindering scalability and impeding the contract's ability to handle a high volume of events. Additionally, the absence of indexing limits the functionality and flexibility of applications built on top of the contract, making advanced event-based queries and operations challenging. This inefficiency increases computational resources, transaction costs, and raises compliance and audit concerns, potentially resulting in legal and reputational risks for the contract deployer. Promptly addressing this critical issue is crucial to ensure optimal performance, usability, and regulatory compliance of the contract.
N/A
Manual Review
Add the indexed keyword in each event.
Other
#0 - c4-pre-sort
2023-07-11T14:28:37Z
141345 marked the issue as low quality report
#1 - alcueca
2023-08-04T19:54:49Z
Valid QA
#2 - c4-judge
2023-08-04T19:54:54Z
alcueca changed the severity to QA (Quality Assurance)
#3 - c4-judge
2023-08-05T10:17:46Z
alcueca marked the issue as grade-a