-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
If all the liquidity for a specific position is transferred from Uniswap, that liquidity will not generate fees. #211
Comments
Picodes marked the issue as duplicate of #362 |
Picodes marked the issue as selected for report |
dyedm1 (sponsor) disputed |
It's important to note that this account premium calculation is not actually used anywhere within the SFPM, and is an opinionated calculation exposed for optional use by protocols such as Panoptic to price options. With that being said, part of the opinionated definition of that calculation includes a multiplier on the premium for option buyers based on the utilization on a given chunk. As is illustrated by this graph of the relationship between the utilization and the premium multiplier, there is a vertical asymptote at 100% utilization. Thus, it is expected that protocols using this feature will cap utilization at a certain percentage (for example, Panoptic allows a maximum utilization of 90%). The long premium calculations at a utilization of 100% (where netLiquidity=0) cannot be performed because the multiplier approaches infinity and would be undefined at that utilization. In that situation, it makes the most sense to forego the premium calculation. Protocols who use this calculation should understand this behavior and either implement a utilization cap or accept that premium will be 0 at utilization=100% |
Picodes changed the severity to 2 (Med Risk) |
Considering the maths of the multiplier and the fact that these functions are only helpers within the SFPM itself, there is no bug here so these reports are valuable but only highlighting an edge case protocols should be aware of. I'll downgrade to QA. |
Picodes changed the severity to QA (Quality Assurance) |
Picodes marked the issue as not selected for report |
Lines of code
https://github.com/code-423n4/2023-11-panoptic/blob/f75d07c345fd795f907385868c39bafcd6a56624/contracts/SemiFungiblePositionManager.sol#L1050-L1059
https://github.com/code-423n4/2023-11-panoptic/blob/f75d07c345fd795f907385868c39bafcd6a56624/contracts/SemiFungiblePositionManager.sol#L1394-L1420
Vulnerability details
Impact
There are two types of liquidity: one remains in
Uniswap
, and the other is transferred fromUniswap
by users.SFPM
tracks owed fees for the liquidity moved fromUniswap
as if it were still inUniswap
.This is crucial because protocols utilizing
SFPM
can access these owed fees and request fees from users moving liquidity fromUniswap
.However, if all liquidity for certain positions is shifted from
Uniswap
, these specific liquidities will not generate fees.Users utilizing this liquidity are consequently exempt from fees in this scenario.
Proof of Concept
All fee calculations are predicated on the assumption that the net liquidity is not zero.
When minting or burning tokens, we only update the owed and gross premia when the net liquidity is non-zero.
https://github.com/code-423n4/2023-11-panoptic/blob/f75d07c345fd795f907385868c39bafcd6a56624/contracts/SemiFungiblePositionManager.sol#L1050-L1059
The same principle applies in the
getAccountPremium
function.https://github.com/code-423n4/2023-11-panoptic/blob/f75d07c345fd795f907385868c39bafcd6a56624/contracts/SemiFungiblePositionManager.sol#L1394-L1420
However, a net liquidity of zero does not imply that a position lacks liquidity; this situation arises when all liquidity has been moved from
Uniswap
by users.Consider the following example: a user creates a short
call
throughPanoptic
for[L1, U1]
and depositsX
liquidity intoUniswap
.The user expects to receive at least fees from
Uniswap
.Another user creates a long
call
throughPanoptic
for[L1, U1]
and transfersX
liquidity fromUniswap
.The net liquidity for
[L1, U1]
is now zero, andUniswap
will not generate fees for this.Consequently, the liquidity will not generate any fees either.
In practical terms, this means that the user who created the short
call
cannot receive any fees, and the user who created the longcall
can use that liquidity without incurring fees.The PoC test is as below:
Tools Used
Manual
Recommended Mitigation Steps
It is essential to account for scenarios where the net liquidity is zero.
At this point, the spread variable, represented as
v * R / N
, is undefined whenN
is0
.Additionally, the equation
feesCollected = feesGrowthX128 * (T-R)
is not valid whenN
(which is equal toT−R
) is0
.One possible solution is to track the fee growth amount instead of
s_accountFeesBase
.Assessed type
Math
The text was updated successfully, but these errors were encountered: