You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 26, 2023. It is now read-only.
sherlock-admin opened this issue
May 23, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
USSDRebalancer getOwnValuation() calculation may overflow
Summary
The USSDRebalancer getOwnValuation() calculation may overflow
Vulnerability Detail
The USSDRebalancer contract implements the getOwnValuation() function to get the spot price of the asset using a Uniswap V3 pool. The function queries the pool to fetch the sqrtPriceX96 and does the following calculation:
Note that this implementation guards against different numerical issues. In particular, the if in line sqrtRatioX96 <= type(uint128).max checks for a potential overflow of sqrtRatioX96 and switches the implementation to avoid the issue.
Impact
Due to potential overflow, this function may not work correctly.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
Bauer
high
USSDRebalancer getOwnValuation() calculation may overflow
Summary
The USSDRebalancer getOwnValuation() calculation may overflow
Vulnerability Detail
The
USSDRebalancer
contract implements thegetOwnValuation()
function to get the spot price of the asset using a Uniswap V3 pool. The function queries the pool to fetch the sqrtPriceX96 and does the following calculation:The main issue here is that the multiplications in the expression sqrtPriceX96 * (uint(sqrtPriceX96)) * (1e18) may eventually overflow. This case is taken into consideration by the implementation of the OracleLibrary.getQuoteAtTick function which is part of the Uniswap V3 periphery set of contracts.
https://github.com/Uniswap/v3-periphery/blob/main/contracts/libraries/OracleLibrary.sol#L49-L69
Note that this implementation guards against different numerical issues. In particular, the if in line
sqrtRatioX96 <= type(uint128).max
checks for a potential overflow of sqrtRatioX96 and switches the implementation to avoid the issue.Impact
Due to potential overflow, this function may not work correctly.
Code Snippet
https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/USSDRebalancer.sol#L71-L80
Tool used
Manual Review
Recommendation
The price function can delegate the calculation directly to the OracleLibrary.getQuoteAtTick function of the v3-periphery package.
Duplicate of #222
The text was updated successfully, but these errors were encountered: