QuickSwapSinglePositionLiquidityManager Manual Review Findings

QSS-01M: Inexistent Sanitization of Bin Configuration

Type	Severity	Location
Input Sanitization		QuickSwapSinglePositionLiquidityManager.sol:L102, L104, L188-L193

Description:

The QuickSwapSinglePositionLiquidityManager::tend function will utilize the totalWeight input argument to calculate the proportion of the contract's available balance to deposit to the QuickSwap pool, however, the proportion is not restricted to be at most equal to 100% (1e4).

As such, it is possible for a QuickSwapSinglePositionLiquidityManager::tend call to deposit more than the available balance of the contract, depositing pending fees which would cause all QuickSwapBaseLiquidityManager::_getBalance0 and QuickSwapBaseLiquidityManager::_getBalance1 function invocations to fail.

Impact:

It is possible for the vault to deposit more than its actual available balance as the weight of the QuickSwapSinglePositionLiquidityManager::tend call is not sanitized.

Example:

Copy
92uint256 balance0 = _getBalance0();
93uint256 balance1 = _getBalance1();
94
95emit Snapshot(sqrtPriceX96, balance0, balance1, totalSupply());
96
97// Create new positions in Uniswap
98if (totalWeight > 0) {
99    _setBins(
100        sqrtPriceX96,
101        // balance0 adjusted by totalWeight
102        FullMath.mulDiv(balance0, totalWeight, 1e4),
103        // balance1 adjusted by totalWeight
104        FullMath.mulDiv(balance1, totalWeight, 1e4),
105        swapAmount
106    );
107}

Recommendation:

We advise the code to ensure that the totalWeight is at most equal to 1e4 as otherwise, underflow errors would occur in the QuickSwapBaseLiquidityManager::_getBalance0 and QuickSwapBaseLiquidityManager::_getBalance1 functions.

Alleviation (0c3f85c7c11805ac412fe291f5681bef26da7244):

A require check was introduced ensuring that the totalWeight specified in an QuickSwapSinglePositionLiquidityManager::tend call is at most 100_00 thus alleviating this exhibit.