The ability of the Uniswap V2 AMO to add liquidity can be bricked indefinitely #2098
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-1782
sufficient quality report
This report is of sufficient quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Comments
code423n4
added
2 (Med Risk)
|
bytes032 marked the issue as duplicate of #928 |
|
bytes032 marked the issue as not a duplicate |
|
bytes032 marked the issue as duplicate of #928 |
|
bytes032 marked the issue as not a duplicate |
|
bytes032 marked the issue as duplicate of #1455 |
|
bytes032 marked the issue as duplicate of #1782 |
c4-pre-sort
added
the
sufficient quality report
|
bytes032 marked the issue as sufficient quality report |
|
GalloDaSballo marked the issue as unsatisfactory: |
c4-judge
added
the
unsatisfactory
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/amo/UniV2LiquidityAmo.sol#L200-L207
Vulnerability details
Impact
An important function of the Uniswap V2 AMO is adding and managing liquidity for select pools. There is however a logic flaw in the
addLiquidityfunction of the UniV2LiquidityAmo contract with the way that tokens are approved for the AMM router, which can result in effectively permanent DOS of the ability to add liquidity for that pool (e.g. a tokenA,TokenB pair). This issue is due to unused allowance whensafeApproveis called, wherein for one of the tokens in the pair, not all of the allowance will be used. This then means, given the logic ofsafeApprovewhich requires existing approvals to be 0, any future call which references this same token will revert. Since the AMO only handles one pool with two unique tokens (tokenA and tokenB are fixed) this means the entire functionality of the contract will be bricked.Proof of Concept
The
addLiquidityfunction of the Uniswap V2 AMO is defined as follows:Notice that in the call to
addLiquidity, the admin will specify atokenAAmountandtokenBAmountin which they intend to add as liquidity for a given Uniswap V2 pool. Both of these tokens are approved for the router through the call ofsafeApprove. ThissafeApprovefunction requires that the existing approval for these tokens to be 0 prior to approving the new amounts (else reverts), which is where the issue arises.Generally when the admin calls
addLiquidity, they will specify amounts of tokenA and tokenB such that they equal the current ratio of the tokens in the pool. However, due to market movements prior to this tx being mined, it's possible that the actual ratio has changed (note:tokenAAmountMinandtokenBAmountMinare set to allow for this). Due to price movements, its possible that the Uniswap V2 router does not actually use all of thetokenAAmountortokenBAmountallowance. This then means the allowance will not be 0 for the next call, and so all future calls will revert. This all happens because the Uniswap V2 router calculates the optimal amount of both tokens, which means that the actual tokens transferred can be less than the allowance set.Note: it's also not possible to recover from this situation (from calling this function with
tokenAAmount=0 andtokenBAmount=0), because this will result in attempting to mint 0 liquidity, which reverts in the UniswapV2Pair contract.Tools Used
Manual review
Recommended Mitigation Steps
Consider approving 0 prior to approving the actual
tokenAAmountandtokenBAmount.Assessed type
Uniswap
The text was updated successfully, but these errors were encountered: