Low Liquidity in Uniswap V3 Pool Can Lead to ETH Lockup in JBXBuybackDelegate
Contract
#162
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
M-02
primary issue
Highest quality submission among a set of duplicates
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2023-05-juicebox/blob/9a36e5c8d0588f0f262a0cd1c08e34b2184d8f4d/juice-buyback/contracts/JBXBuybackDelegate.sol#L216
Vulnerability details
Impact
The
JBXBuybackDelegate
contract employs Uniswap V3 to perform ETH-to-project token swaps. When the terminal invokes theJBXBuybackDelegate.didPay()
function, it provides the amount of ETH to be swapped for project tokens. The swap operation setssqrtPriceLimitX96
to the lowest possible price, and the slippage is checked at the callback.However, if the Uniswap V3 pool lacks sufficient liquidity or being manipulated before the transaction is executed, the swap will halt once the pool's price reaches the
sqrtPriceLimitX96
value. Consequently, not all the ETH sent to the contract will be utilized, resulting in the remaining ETH becoming permanently locked within the contract.Proof of Concept
The
_swap()
function interacts with the Uniswap V3 pool. It setssqrtPriceLimitX96
to the minimum or maximum feasible value to ensure that the swap attempts to utilize all available liquidity in the pool.In the Uniswap V3 pool, this check stops the loop if the price limit is reached or the entire input has been used. If the pool does not have enough liquidity, it will still do the swap until the price reaches the minimum/maximum price.
Finally, the
uniswapV3SwapCallback()
function uses the input from the pool callback to wrap ETH and transfer WETH to the pool. So, if_amountToSend < msg.value
, the unused ETH is locked in the contract.Tools Used
Manual Review
Recommended Mitigation Steps
Consider returning the amount of unused ETH to the beneficiary.
Assessed type
Other
The text was updated successfully, but these errors were encountered: