Platform: Code4rena
Start Date: 01/04/2024
Pot Size: $120,000 USDC
Total HM: 11
Participants: 55
Period: 21 days
Judge: Picodes
Total Solo HM: 6
Id: 354
League: ETH
Rank: 19/55
Findings: 2
Award: $648.15
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: DadeKuma
Also found by: Bauchibred, Dup1337, Vancelot, jesjupyter, sammy
615.1933 USDC - $615.19
There is no slippage protection during the minting of full-range-liquidity. In the process, the slot0 is queried and there is no check from the user that the liquidity should be within an acceptable range. Thus user may suffer from loss when providing liquidity in Uniswap V3.
In PanopticFactory::deployNewPool, the full-range liquidity should be provided by msg.sender.
// Mints the full-range initial deposit // which is why the deployer becomes also a "donor" of full-range liquidity // The SFPM will `safeTransferFrom` tokens from the donor during the mint callback (uint256 amount0, uint256 amount1) = _mintFullRange(v3Pool, token0, token1, fee);
In the _mintFullRange, the IUniswapV3Pool(v3Pool).mint is being called. But there is no slippage protection during the minting of full-range-liquidity. In the process, the slot0 is queried and there is no check from the user that the liquidity should be within an acceptable range.
(uint160 currentSqrtPriceX96, , , , , , ) = v3Pool.slot0(); ... return IUniswapV3Pool(v3Pool).mint( address(this), tickLower, tickUpper, fullRangeLiquidity, mintCallback );
Thus, if the pool has gone through prices changes before the mint, the user may suffer from slippage loss.
Manual
It is recommended to add slippage protection in the function PanopticFactory::deployNewPool.
MEV
#0 - c4-judge
2024-04-24T19:56:11Z
Picodes marked the issue as unsatisfactory: Invalid
#1 - c4-judge
2024-04-24T19:56:25Z
Picodes marked the issue as unsatisfactory: Invalid
#2 - Picodes
2024-04-24T20:00:06Z
It's a new pool so by definition there is no price to manipulate yet
#3 - jes16jupyter
2024-05-07T12:06:46Z
Hi @Picodes I guess it's the duplicate of #537. Suffering from v3Pool.slot0() which could be manipulated.
#4 - c4-judge
2024-05-09T23:12:15Z
Picodes marked the issue as duplicate of #537
#5 - Picodes
2024-05-09T23:12:24Z
Indeed, thanks for flagging
#6 - c4-judge
2024-05-09T23:12:26Z
Picodes marked the issue as satisfactory
🌟 Selected for report: DadeKuma
Also found by: 0xStalin, 0xhacksmithh, 99Crits, Aymen0909, Bauchibred, CodeWasp, Dup1337, IllIllI, John_Femi, K42, KupiaSec, Naresh, Rhaydden, Rolezn, Sathish9098, Topmark, ZanyBonzy, albahaca, bareli, blockchainbuttonmasher, cheatc0d3, codeslide, crc32, d3e4, favelanky, grearlake, hihen, jasonxiale, jesjupyter, lanrebayode77, lirezArAzAvi, lsaudit, mining_mario, oualidpro, pfapostol, radin100, rbserver, sammy, satoshispeedrunner, slvDev, twcctop, zabihullahazadzoi
32.9585 USDC - $32.96
ERC1155::supportsInterface should be virtual, otherwise it can't be override to add other interface-support.
In the function ERC1155::supportsInterface, there is no virtual for the function, so that it can not be override.
function supportsInterface(bytes4 interfaceId) public pure returns (bool) { return interfaceId == 0x01ffc9a7 || // ERC165 Interface ID for ERC165 interfaceId == 0xd9b67a26; // ERC165 Interface ID for ERC1155 }
Since ERC1155 currently doesn't support interfaceId == 0x0e89341c(ERC165 Interface ID for ERC1155MetadataURI), the supportsInterface could not be changed to add more interfaces. This may cause future integration problems.
Manual
Add virtual for function supportsInterface so that more interfaces could be added in the future for better implementation.
Other
#0 - c4-judge
2024-04-26T09:14:41Z
Picodes changed the severity to QA (Quality Assurance)
#1 - c4-judge
2024-04-26T17:19:16Z
Picodes marked the issue as grade-b