Platform: Code4rena
Start Date: 01/04/2024
Pot Size: $120,000 USDC
Total HM: 11
Participants: 55
Period: 21 days
Judge: Picodes
Total Solo HM: 6
Id: 354
League: ETH
Rank: 33/55
Findings: 1
Award: $32.96
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: DadeKuma
Also found by: 0xStalin, 0xhacksmithh, 99Crits, Aymen0909, Bauchibred, CodeWasp, Dup1337, IllIllI, John_Femi, K42, KupiaSec, Naresh, Rhaydden, Rolezn, Sathish9098, Topmark, ZanyBonzy, albahaca, bareli, blockchainbuttonmasher, cheatc0d3, codeslide, crc32, d3e4, favelanky, grearlake, hihen, jasonxiale, jesjupyter, lanrebayode77, lirezArAzAvi, lsaudit, mining_mario, oualidpro, pfapostol, radin100, rbserver, sammy, satoshispeedrunner, slvDev, twcctop, zabihullahazadzoi
32.9585 USDC - $32.96
https://github.com/code-423n4/2024-04-panoptic/blob/main/contracts/PanopticPool.sol#L547-#L561 https://github.com/code-423n4/2024-04-panoptic/blob/main/contracts/SemiFungiblePositionManager.sol#L688
In current design of protocol, it only restrict user from minting position with position size = 0:
function _validateAndForwardToAMM( TokenId tokenId, uint128 positionSize, int24 tickLimitLow, int24 tickLimitHigh, bool isBurn ) internal returns (LeftRightUnsigned[4] memory collectedByLeg, LeftRightSigned totalMoved) { // Reverts if positionSize is 0 and user did not own the position before minting/burning if (positionSize == 0) revert Errors.OptionsBalanceZero(); // <---
Attacker can conduct a griefing attack by continuously minting long position with dust amount, which lead to bad debt for protocol in worst case
No incentive for anyone to minting them, which lead to bad debt for protool.
Manual review
Add minimum positionSize
Context
#0 - c4-judge
2024-04-23T11:46:50Z
Picodes marked the issue as duplicate of #247
#1 - c4-judge
2024-05-06T10:22:46Z
Picodes marked the issue as duplicate of #313
#2 - c4-judge
2024-05-06T13:34:38Z
Picodes changed the severity to QA (Quality Assurance)
#3 - c4-judge
2024-05-06T16:06:32Z
Picodes marked the issue as grade-b