Skip to content
This repository has been archived by the owner on Nov 5, 2023. It is now read-only.

0x52 - UniswapV3 sqrtRatioLimit doesn't provide slippage protection and will result in partial swaps #132

Open
sherlock-admin opened this issue Apr 30, 2023 · 2 comments
Open

0x52 - UniswapV3 sqrtRatioLimit doesn't provide slippage protection and will result in partial swaps #132

sherlock-admin opened this issue Apr 30, 2023 · 2 comments
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability High A valid High severity issue Reward A payout will be made for this issue Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin
Copy link
Contributor

0x52

high

UniswapV3 sqrtRatioLimit doesn't provide slippage protection and will result in partial swaps

Summary

The sqrtRatioLimit for UniV3 doesn't cause the swap to revert upon reaching that value. Instead it just cause the swap to partially fill. This is a known issue with using sqrtRatioLimit as can be seen here where the swap ends prematurely when it has been reached. This is problematic as this is meant to provide the user with slippage protection but doesn't.

Vulnerability Detail

https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/spell/IchiSpell.sol#L209-L223

    if (amountToSwap > 0) {
        SWAP_POOL = IUniswapV3Pool(vault.pool());
        uint160 deltaSqrt = (param.sqrtRatioLimit *
            uint160(param.sellSlippage)) / uint160(Constants.DENOMINATOR);
        SWAP_POOL.swap(
            address(this),
            // if withdraw token is Token0, then swap token1 -> token0 (false)
            !isTokenA,
            amountToSwap.toInt256(),
            isTokenA
                ? param.sqrtRatioLimit + deltaSqrt
                : param.sqrtRatioLimit - deltaSqrt, // slippaged price cap
            abi.encode(address(this))
        );
    }

sqrtRatioLimit is used as slippage protection for the user but is ineffective and depending on what tokens are being swapped, tokens may be left the in the contract which can be stolen by anyone.

Impact

Incorrect slippage application can result in partial swaps and loss of funds

Code Snippet

IchiSpell.sol#L181-L236

Tool used

Manual Review

Recommendation

Check the amount received from the swap and compare it against some user supplied minimum
@github-actions github-actions bot added the High A valid High severity issue label May 3, 2023
@hrishibhat hrishibhat mentioned this issue May 19, 2023
Closed
@hrishibhat hrishibhat added the Has Duplicates A valid issue with 1+ other issues describing the same vulnerability label May 19, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label May 20, 2023
@Gornutz Gornutz added the Will Fix The sponsor confirmed this issue will be fixed label Jun 6, 2023
@Gornutz
Copy link

Gornutz commented Jun 12, 2023

Blueberryfi/blueberry-core@314eaf2

@IAm0x52
Copy link
Collaborator

IAm0x52 commented Jun 16, 2023

Contract now uses the UniV3 router rather than interacting with the pool directly. However it still utilizes sqrtPriceLimitX96 which is potentially dangerous. Should use sqrtPriceLimitX96 = 0.

@peakbolt peakbolt mentioned this issue Jul 27, 2023
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability High A valid High severity issue Reward A payout will be made for this issue Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hrishibhat @Gornutz @sherlock-admin @IAm0x52