Back to lightoasis's contests

Revert Lend - lightoasis's results

A lending protocol specifically designed for liquidity providers on Uniswap v3.

General Information

Platform: Code4rena

Start Date: 04/03/2024

Pot Size: $88,500 USDC

Total HM: 31

Participants: 105

Period: 11 days

Judge: ronnyx2017

Total Solo HM: 7

Id: 342

League: ETH

Revert

Findings Distribution

Researcher Performance

Rank: 59/105

Findings: 1

Award: $72.54

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryRevert

Findings Information

🌟 Selected for report: y0ng0p3

Also found by: 0xk3y, 0xspryon, Mike_Bello90, Myd, falconhoof, lightoasis, th3l1ghtd3m0n

Labels

bug
2 (Med Risk)
satisfactory
sufficient quality report
edited-by-warden
:robot:_38_group
duplicate-147

Awards

72.5395 USDC - $72.54

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-03-revert-lend/blob/435b054f9ad2404173f36f0f74a5096c894b12b7/src/V3Vault.sol#L1066

Vulnerability details

Vulnerability

The vulnerability and impact is similar to Particle M-02 where block.timestamp was used as the deadline argument while interacting with the Uniswap NFT Position Manager. Using block.timestamp as a deadline completely defeats the purpose of using a deadline.

Impact

Actions in the Uniswap NonfungiblePositionManager contract are protected by a deadline parameter to limit the execution of pending transactions. Functions that modify the liquidity of the pool check this parameter against the current block timestamp in order to discard expired actions.

These interactions with the Uniswap position are present in the V3Vault contract. Specifically, _sendPositionValue() which is called during liquidate() calls onfungiblePositionManager.decreaseLiquidity() while providing block.timestamp as the argument for the deadline parameter: V3Vault.sol#L1066

if (liquidity > 0) {
            nonfungiblePositionManager.decreaseLiquidity(
                INonfungiblePositionManager.DecreaseLiquidityParams(tokenId, liquidity, 0, 0, block.timestamp)
            );
        }

Using block.timestamp as the deadline is effectively a no-operation that has no effect nor protection. Since block.timestamp will take the timestamp value when the transaction gets mined, the check will end up comparing block.timestamp against the same value, i.e. block.timestamp <= block.timestamp (see here).

Failure to provide a proper deadline value enables pending transactions to be maliciously executed at a later point. Transactions that provide an insufficient amount of gas such that they are not mined within a reasonable amount of time, can be picked by malicious actors or MEV bots and executed later in detriment of the submitter.

See this issues for an excellent reference on the topic (the author runs a MEV bot).

Recommendation

Add a deadline parameter for the INonfungiblePositionManager.DecreaseLiquidityParams() call

Assessed type

Uniswap

#0 - c4-pre-sort

2024-03-18T14:01:22Z

0xEVom marked the issue as duplicate of #147

#1 - 0xEVom

2024-03-18T14:01:29Z

Only mentions _sendPositionValue()

#2 - c4-pre-sort

2024-03-18T14:38:43Z

0xEVom marked the issue as sufficient quality report

#3 - c4-judge

2024-03-31T16:00:28Z

jhsagd76 marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter