Code4renaCODE423N4:2023-12-PARTICLE-FINDINGS-ISSUES-59Dangerous use of deadline parameter
AI Score
Confidence
Low
Lines of code
<https://github.com/code-423n4/2023-12-particle/blob/a3af40839b24aa13f5764d4f84933dbfa8bc8134/contracts/libraries/LiquidityPosition.sol#L197>
<https://github.com/code-423n4/2023-12-particle/blob/a3af40839b24aa13f5764d4f84933dbfa8bc8134/contracts/libraries/LiquidityPosition.sol#L260>
Vulnerability details
Summary
The protocol is using block.timestamp as the deadline argument while interacting with the Uniswap NFT Position Manager, which completely defeats the purpose of using a deadline.
Impact
Actions in the Uniswap NonfungiblePositionManager contract are protected by a deadline parameter to limit the execution of pending transactions. Functions that modify the liquidity of the pool check this parameter against the current block timestamp in order to discard expired actions.
These interactions with the Uniswap position are present in the LiquidityPosition library. The functions mint(), increaseLiquidity() and decreaseLiquidity() call their corresponding functions in the Uniswap Position Manager, providing block.timestamp as the argument for the deadline parameter:
131: // mint the position
132: (tokenId, liquidity, amount0Minted, amount1Minted) = Base.UNI_POSITION_MANAGER.mint(
133: INonfungiblePositionManager.MintParams({
134: token0: params.token0,
135: token1: params.token1,
136: fee: params.fee,
137: tickLower: params.tickLower,
138: tickUpper: params.tickUpper,
139: amount0Desired: params.amount0ToMint,
140: amount1Desired: params.amount1ToMint,
141: amount0Min: params.amount0Min,
142: amount1Min: params.amount1Min,
143: recipient: address(this),
144: deadline: block.timestamp
145: })
146: );
189: // increase liquidity via position manager
190: (liquidity, amount0Added, amount1Added) = Base.UNI_POSITION_MANAGER.increaseLiquidity(
191: INonfungiblePositionManager.IncreaseLiquidityParams({
192: tokenId: tokenId,
193: amount0Desired: amount0,
194: amount1Desired: amount1,
195: amount0Min: 0,
196: amount1Min: 0,
197: deadline: block.timestamp
198: })
199: );
254: (amount0, amount1) = Base.UNI_POSITION_MANAGER.decreaseLiquidity(
255: INonfungiblePositionManager.DecreaseLiquidityParams({
256: tokenId: tokenId,
257: liquidity: liquidity,
258: amount0Min: 0,
259: amount1Min: 0,
260: deadline: block.timestamp
261: })
262: );
Using block.timestamp as the deadline is effectively a no-operation that has no effect nor protection. Since block.timestamp will take the timestamp value when the transaction gets mined, the check will end up comparing block.timestamp against the same value, i.e. block.timestamp <= block.timestamp (see <https://github.com/Uniswap/v3-periphery/blob/697c2474757ea89fec12a4e6db16a574fe259610/contracts/base/PeripheryValidation.sol#L7>).
Failure to provide a proper deadline value enables pending transactions to be maliciously executed at a later point. Transactions that provide an insufficient amount of gas such that they are not mined within a reasonable amount of time, can be picked by malicious actors or MEV bots and executed later in detriment of the submitter.
See this issue for an excellent reference on the topic (the author runs a MEV bot).
Recommendation
Add a deadline parameter to each of the functions that are used to manage the liquidity position, ParticlePositionManager.mint(), ParticlePositionManager.increaseLiquidity() and ParticlePositionManager.decreaseLiquidity(). Forward this parameter to the corresponding underlying calls to the Uniswap NonfungiblePositionManager contract.
Assessed type
Other
The text was updated successfully, but these errors were encountered:
All reactions
AI Score
Confidence
Low