LP owner cannot control slippage while managing their position

2023-12-2100:00:00

Code4rena

github.com

vulnerability

slippage control

uniswap interaction

interaction parameters

liquidity management

7.1 High

AI Score

Confidence

High

JSON

Lines of code
<https://github.com/code-423n4/2023-12-particle/blob/a3af40839b24aa13f5764d4f84933dbfa8bc8134/contracts/protocol/ParticlePositionManager.sol#L127>

Vulnerability details

Summary

The owner of the LP cannot specify the slippage parameters while interacting with this position in increaseLiquidity() and decreaseLiquidity().

Impact

Liquidity interaction with Uniswap is protected by minimum amount parameters that control the slippage of these actions. Minting a new position, increasing liquidity or decreasing liquidity in the Uniswap NonfungiblePositionManager contract allows defining minimum output parameters that control the outcome of the actions (see parameters structs in INonfungiblePositionManager).

On the Particle side, liquidity providers can only control slippage in the mint action. The implementation of mint() includes slippage parameters and correctly forwards those to the NPM contract:

<https://github.com/code-423n4/2023-12-particle/blob/a3af40839b24aa13f5764d4f84933dbfa8bc8134/contracts/libraries/LiquidityPosition.sol#L131-L146>

131:         // mint the position
132:         (tokenId, liquidity, amount0Minted, amount1Minted) = Base.UNI_POSITION_MANAGER.mint(
133:             INonfungiblePositionManager.MintParams({
134:                 token0: params.token0,
135:                 token1: params.token1,
136:                 fee: params.fee,
137:                 tickLower: params.tickLower,
138:                 tickUpper: params.tickUpper,
139:                 amount0Desired: params.amount0ToMint,
140:                 amount1Desired: params.amount1ToMint,
141:                 amount0Min: params.amount0Min,
142:                 amount1Min: params.amount1Min,
143:                 recipient: address(this),
144:                 deadline: block.timestamp
145:             })
146:         );

However, in both increaseLiquidity() and decreaseLiquidity(), these parameters are hardcoded to zero:

<https://github.com/code-423n4/2023-12-particle/blob/a3af40839b24aa13f5764d4f84933dbfa8bc8134/contracts/libraries/LiquidityPosition.sol#L189-L199>

189:         // increase liquidity via position manager
190:         (liquidity, amount0Added, amount1Added) = Base.UNI_POSITION_MANAGER.increaseLiquidity(
191:             INonfungiblePositionManager.IncreaseLiquidityParams({
192:                 tokenId: tokenId,
193:                 amount0Desired: amount0,
194:                 amount1Desired: amount1,
195:                 amount0Min: 0,
196:                 amount1Min: 0,
197:                 deadline: block.timestamp
198:             })
199:         );

<https://github.com/code-423n4/2023-12-particle/blob/a3af40839b24aa13f5764d4f84933dbfa8bc8134/contracts/libraries/LiquidityPosition.sol#L254-L262>

254:         (amount0, amount1) = Base.UNI_POSITION_MANAGER.decreaseLiquidity(
255:             INonfungiblePositionManager.DecreaseLiquidityParams({
256:                 tokenId: tokenId,
257:                 liquidity: liquidity,
258:                 amount0Min: 0,
259:                 amount1Min: 0,
260:                 deadline: block.timestamp
261:             })
262:         );

Since these parameters are always hardcoded to zero, the LP owner cannot possibly protect against slippage while managing their positions

Recommendation

Similar to the implementation of mint(), add the corresponding slippage parameters to ParticlePositionManager.increaseLiquidity() and ParticlePositionManager.decreaseLiquidity() and forward these to the underlying calls to the Uniswap Position Manager contract.

Assessed type

Other

The text was updated successfully, but these errors were encountered:

All reactions

7.1 High

AI Score

Confidence

High

JSON