Minimum slippage protection is used when increasing and decreasing Uniswap V3 position #13
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-2
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-12-particle/blob/main/contracts/libraries/LiquidityPosition.sol#L253-L263
https://github.com/code-423n4/2023-12-particle/blob/main/contracts/libraries/LiquidityPosition.sol#L178-L204
Vulnerability details
Impact
According to uniswap V3 docs for increase and decrease liquidity:
However, current implementation inside Particle doesn't allow users to provide the amount minimum.
Proof of Concept
This are the current implementation for increasing and decreasing liquidity, it can be observed that
amount0Min
andamount1Min
provided are 0 :https://github.com/code-423n4/2023-12-particle/blob/main/contracts/libraries/LiquidityPosition.sol#L178-L204
https://github.com/code-423n4/2023-12-particle/blob/main/contracts/libraries/LiquidityPosition.sol#L253-L263
There are several instances where increasing and decreasing liquidity are called :
https://github.com/code-423n4/2023-12-particle/blob/main/contracts/protocol/ParticlePositionManager.sol#L118-L124
https://github.com/code-423n4/2023-12-particle/blob/main/contracts/protocol/ParticlePositionManager.sol#L127-L132
https://github.com/code-423n4/2023-12-particle/blob/main/contracts/protocol/ParticlePositionManager.sol#L423-L439
https://github.com/code-423n4/2023-12-particle/blob/main/contracts/protocol/ParticlePositionManager.sol#L170-L173
This causes the operations to have minimal slippage protection when involving decreasing or increasing liquidity
Tools Used
Manual review
Recommended Mitigation Steps
When it is possible, allow user to provide
amount0Min
andamount1Min
Assessed type
Uniswap
The text was updated successfully, but these errors were encountered: