-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
premia calculation can cause DOS #520
Comments
For impact 1. this is a semi-dup of #211 (read comment there) and for the same reason a cap is expected to be followed for removed liquidity. For individual SFPM users removing their own liquidity with long positions is a bit silly, but users should be aware of the dangers of removing too much. Perhaps we should add a warning to make sure people understand this. The alternative is allowing the premium to overflow which can itself cause issues, but since we never expect it to overflow on cap-implementing protocols that overflow check may not be productive. Still, I would err toward lower impact on that since it is kind of a user error thing though that wouldn't really happen unless you did it on purpose. Impact 2. is certainly a problem but it is pretty much a dup of #256 and in fact this specific facet is the only reason why I think 256 can be a High instead of a Med. Not sure what the best way to handle this is but I think splitting this up into two issues and combining impact 2 with the duplicates might make the most sense. Ultimately they are talking about the same issues from different perspectives, so if we keep them separate we have a bunch of very similar issues (none of the 211-related ones except for this seem to be valid issues, but a lot of the valid issues are just various perspectives of 256) |
dyedm1 (sponsor) confirmed |
1 would indeed follow the same reasoning as #211 so would be of Low severity. However, indeed 2 is a real scenario of self-DoS due to a rounding error leading to an overflow in |
Picodes marked the issue as satisfactory |
Picodes marked the issue as selected for report |
Yeah I see that. They're not actually overflowing the removedLiquidity so it doesn't involve any of the underlying issues in 256, it just happens to lead to similar impacts. That's fine. |
@Picodes I believe this issue deserves to be a medium rather than a high since it can only occur with a few tokens with billions of token supply, or it requires millions of dollars. As the author of the submission says, it requires huge amount of transfers. The warden's example in this case is 100_000_000e18 Pepe token. This issue would never occur with USDC or Ethereum, or most of the other regular tokens that will be used in this protocol. It can theoretically occur with 18 decimal stable coins but requires tens of millions of dollars in a single position by a single user. Therefore, I think this is a medium severity issue with external requirements. I would be grateful if you could reconsider the severity of this issue. |
Picodes changed the severity to 2 (Med Risk) |
@osmanozdemir1 thanks for your comment. After consideration, I agree with you on this one. As this is more a DoS, requires external conditions and isn't triggered by an attacker, medium severity seems justified. |
Lines of code
https://github.com/code-423n4/2023-11-panoptic/blob/main/contracts/SemiFungiblePositionManager.sol#L1280-L1285
Vulnerability details
Impact
Proof of Concept
Whenever minting/burning, if the
netLiquidity
andamountToCollect
are non-zero, the premia calculation is invokedhttps://github.com/code-423n4/2023-11-panoptic/blob/main/contracts/SemiFungiblePositionManager.sol#L1217
In case the
removedLiquidity
is high and thenetLiquidity
is extremely low, the calculation in_getPremiaDeltas
will revert since the calculated amount cannot be casted touint128
https://github.com/code-423n4/2023-11-panoptic/blob/main/contracts/SemiFungiblePositionManager.sol#L1280-L1285
This can be affected in the following ways:
mints
to revert.Example Scenarios
Attacker making :
For
PEPE/ETH
attacker opens a short with 100_000_000e18 PEPE. This gives > 2 ** 71 liquidity and is worth around 100$.Attacker mints long
100_000_000e18 - 1000
makingnetLiquidity
equal to a very small amount and makingremovedLiquidity
> 2 ** 71. Once enough fees is accrued, further mints on this position is disabled for this address.Dust accrual due to round down :
Liquidity position ranges:
tickLower = 199260
tickUpper = 199290
Short amount (== token amount):
amount0 = 219738690
liquidityMinted = 3110442974185905
Long amount 1 == amount0/2 = 109869345
Long amount 2 == amount0/2 = 109869345
Liquidity removed = 1555221487092952 * 2 = 3110442974185904
Dust = 1
When the feeDifference becomes non-zero (due to increased dust by similar operations / accrual of fees in the range), similar effect to earlier scenario will be observed
POC Code
Set fork_block_number = 18706858 and run
forge test --mt testHash_PremiaRevertDueToLowNetHighLiquidity
For dust accrual POC run :
forge test --mt testHash_DustLiquidityAmount
Tools Used
Manual review
Recommended Mitigation Steps
Modify the premia calculation or use
uint256
for storing premiaAssessed type
DoS
The text was updated successfully, but these errors were encountered: