range fee growth underflow #25
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Warden finding
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Handle
broccoli
Vulnerability details
range fee growth underflow
Impact
The function
RangeFeeGrowth
ConcentratedLiquidityPool.sol#L601-L633 would revert the transaction in some cases.When a pool cross a tick, it only updates either
feeGrowthOutside0
orfeeGrowthOutside1
. Ticks.sol#L23-L53RangeFeeGrowth
calculates the fee as follow:feeGrowthBelow + feeGrowthAbove
is not necessary smaller than_feeGrowthGlobal
. Please seePOC
.Users can not provide liquidity or burn liquidity. Fund will get stocked in the contract. I consider this is a high-risk issue.
Proof of Concept
Tools Used
Hardhat
Recommended Mitigation Steps
It's either modify the tick's algo or
RangeFeeGrowth
. The quick-fix I come up with is to deal with the fee inRangeFeeGrowth
. However, I recommend the team to go through tick's logic again.The text was updated successfully, but these errors were encountered: