Platform: Code4rena
Start Date: 23/02/2024
Pot Size: $92,000 USDC
Total HM: 0
Participants: 47
Period: 10 days
Judge: 0xTheC0der
Id: 336
League: ETH
Rank: 17/47
Findings: 1
Award: $694.30
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: CodeWasp
Also found by: 0xdice91, 0xlemon, Aamir, Al-Qa-qa, AlexCzm, BAHOZ, Bauchibred, Breeje, DadeKuma, Fassi_Security, PetarTolev, Shield, SpicyMeatball, Trust, ZanyBonzy, cheatc0d3, gesha17, haxatron, imare, jesjupyter, kutugu, lsaudit, marchev, merlinboii, nnez, osmanozdemir1, peanuts, radev_sw, twicek, visualbits
694.2987 USDC - $694.30
https://github.com/code-423n4/2024-02-uniswap-foundation/blob/main/src/V3FactoryOwner.sol#L193-L194
When calling V3FactoryOwner.sol#claimFees, the _amount0 and _amount1 return from calling _pool#collectProtocol must be equal or greater than amount(0,1)Requested or else the transaction would revert.
However, in the actual implementation of V3Pool (https://github.com/Uniswap/v3-core/blob/main/contracts/UniswapV3Pool.sol#L848)
if (amount0 > 0) { if (amount0 == protocolFees.token0) amount0--; // ensure that the slot is not cleared, for gas savings ... ...
The actual pool#collectProtocol would try to save gas and subtract _amount0 and _amount1 by 1 to prevent storage clearance in the case that the requested amount is equal to current collected protocol fee.
Therefore, calling V3FactoryOwner.sol#claimFees with maximum requested amount will always fail because the return _amount0 and _amount1 will always be off by 1
The mitigation depends on how you view this issue.
(1) Adding note in comment section about this certain case OR
(2) Allow off-by-one slippage in claimFees function
Other
#0 - c4-judge
2024-03-07T12:41:35Z
MarioPoneder marked the issue as duplicate of #34
#1 - c4-judge
2024-03-14T01:38:05Z
MarioPoneder marked the issue as satisfactory
#2 - c4-judge
2024-03-26T23:00:01Z
MarioPoneder marked the issue as grade-b