-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Token balances can be made to not correctly reflect the underlying position #527
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-256
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Comments
c4-bot-2
added
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
labels
Dec 11, 2023
c4-judge
added
the
primary issue
Highest quality submission among a set of duplicates
label
Dec 14, 2023
Picodes marked the issue as primary issue |
another dup #256 |
dyedm1 (sponsor) confirmed |
c4-sponsor
added
the
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
label
Dec 18, 2023
Picodes marked the issue as duplicate of #256 |
c4-judge
added
duplicate-256
and removed
primary issue
Highest quality submission among a set of duplicates
labels
Dec 23, 2023
Picodes changed the severity to 3 (High Risk) |
c4-judge
added
3 (High Risk)
Assets can be stolen/lost/compromised directly
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
and removed
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
labels
Dec 26, 2023
Picodes marked the issue as satisfactory |
c4-judge
added
the
satisfactory
satisfies C4 submission criteria; eligible for awards
label
Dec 26, 2023
c4-judge
added
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
and removed
satisfactory
satisfies C4 submission criteria; eligible for awards
labels
Jan 3, 2024
Picodes marked the issue as partial-50 |
The described impact is not of high severity so giving partial credit |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-256
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/code-423n4/2023-11-panoptic/blob/main/contracts/SemiFungiblePositionManager.sol#L621-L630
Vulnerability details
Impact
Token balances won't reflect underlying position
Proof of Concept
When transferring, the entire liquidity position is transferred to the other user. The checks done for the sender are:
netLiquidity
of the positionhttps://github.com/code-423n4/2023-11-panoptic/blob/main/contracts/SemiFungiblePositionManager.sol#L621-L630
This makes many paths possible where the token balances of an address doesn't represent the underlying position
Eg:
Now the user has 50 short token and 100 long token although the user's liquidity position is 0
It is also not checked whether the token being transferred represents a
short
even though thenetLiquidity
is movedTools Used
Manual review
Recommended Mitigation Steps
If this is not intended behaviour, seperate the transfer of
removedLiquidity
andnetLiquidity
based onlong/short
nature of the token leg and decrease thefeeBase
only forshort
transfers.Assessed type
Token-Transfer
The text was updated successfully, but these errors were encountered: