Omniscia SaucerSwap Audit
UniswapV3Factory Manual Review Findings
UniswapV3Factory Manual Review Findings
UVF-01M: Improper Distribution of Rent Fees
| Type | Severity | Location |
|---|---|---|
| Language Specific |  | UniswapV3Factory.sol:L60 |
Description:
The UniswapV3Factory::createPool function will distribute the convTinybar fee directly to the rentPayer after the pool has been created, rendering the contract susceptible to re-entrancy attacks.
Impact:
The rentPayer can re-enter the initial creation of a pool and potentially provide liquidity to it before the pool's creator has managed to do so.
Example:
41function createPool(42 address tokenA,43 address tokenB,44 uint24 fee45) payable external override noDelegateCall returns (address pool) {46 uint256 convTinybar = HbarConversion.tinycentsToTinybars(poolCreateFee);47 require(msg.value >= convTinybar);48 require(tokenA != tokenB);49 (address token0, address token1) = tokenA < tokenB ? (tokenA, tokenB) : (tokenB, tokenA);50 require(token0 != address(0));51 int24 tickSpacing = feeAmountTickSpacing[fee];52 require(tickSpacing != 0);53 require(getPool[token0][token1][fee] == address(0));54 pool = deploy(address(this), token0, token1, fee, tickSpacing);55 getPool[token0][token1][fee] = pool;56
57 // populate mapping in the reverse direction, deliberate choice to avoid the cost of comparing addresses58 getPool[token1][token0][fee] = pool;59 60 rentPayer.call{value: msg.value}("");61 emit PoolCreated(token0, token1, fee, tickSpacing, pool);62}Recommendation:
We advise the code to instead "credit" the rentPayer with the referenced balance, permitting them to invoke a special method to withdraw their "credit" from the UniswapV3Factory.
Alleviation (5809242f0b533bd32b98253a971d07dd5a986bb1):
A "credit" system was put in place within the codebase by ensuring the msg.value of a UniswapV3Factory::createPool call is equal-to-or-greater-than the convTinybar fee and permitting it to be extracted via a secondary UniswapV3Factory::collectRent function that simply transmits the full native balance of the factory to the rentPayer.
As such, we consider this exhibit fully alleviated.
UVF-02M: Potentially Improperly Set Fees
| Type | Severity | Location |
|---|---|---|
| Input Sanitization | | UniswapV3Factory.sol:L94, L100 |
Description:
The UniswapV3Factory::setPoolCreateFee and UniswapV3Factory::setMintFee functions will simply assign the input uint256 argument to the relevant data entry without any sanitization.
Impact:
Improperly defined fees will permit users to interact with the contract without paying the necessary rent fee for the Hedera Protocol.
Example:
91/// @inheritdoc IUniswapV3Factory92function setPoolCreateFee(uint256 _poolCreateFee) external override {93 require(msg.sender == owner);94 poolCreateFee = _poolCreateFee;95}96
97/// @inheritdoc IUniswapV3Factory98function setMintFee(uint256 _mintFee) external override {99 require(msg.sender == owner);100 mintFee = _mintFee;101}Recommendation:
Given that the input values need to represent TINY_PARTS_PER_WHOLE, we advise the code to impose a require check ensuring that the input values modulo (%) the value of TINY_PARTS_PER_WHOLE (100_000_000) equals zero, ensuring that the fees have been correctly specified.
Alleviation (3248d1d2fdfa6e1e270ff27db8eefb13dcb55c40):
The SaucerSwap team has not provided any alleviation for this exhibit. We strongly advise the SaucerSwap team to re-evaluate it as it is applicable to their iteration of Uniswap V3.