Lack checks if Pool deployed by the canonical UniswapV3Factory in uniswapV3SwapCallback #175
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
low quality report
This report is of especially low quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2023-05-juicebox/blob/main/juice-buyback/contracts/JBXBuybackDelegate.sol#L216
https://github.com/code-423n4/2023-05-juicebox/blob/main/juice-buyback/contracts/JBXBuybackDelegate.sol#L271
Vulnerability details
Impact
Loss of deserved tokens or DoS when users use this contract.
Proof of Concept
According to the uniswap docs:
https://docs.uniswap.org/contracts/v3/reference/core/interfaces/callback/IUniswapV3SwapCallback#uniswapv3swapcallback
However, there is no check in this contract's implementation. So a malicious user (since anyone can deploy this contract and trick other users into using it) or malicious project owner (not centralization risk I think: code-423n4/2022-10-juicebox-findings#191 (comment)) can create a fake pool, which calls
uniswapV3SwapCallback
. There are two attacks:1.Reach the max allowed slippage and get extra tokens. The attacker can do the exchange himself at a low slippage but give back the user with a high allowed slippage.
2.Bypass the slippage but revert later. The attacker can pass nice parameters to uniswapv3swapcallback but doesn't transfer tokens (or few), so he can pass the slippage checks. But the transaction will later revert (DoS) either at:
or
Tools Used
VSCode
Recommended Mitigation Steps
We should use functions like
UniswapV3Factory.getPool()
to make sure it's a real pool.Assessed type
Uniswap
The text was updated successfully, but these errors were encountered: