Submission Details
Severity:
Some tokens can't be swapped to WETH
Summary
There are some Uniswap WETH pools on Optimism have different swapping fee than 3000, these pools can't be found by ISwapRouter and swapping will always fail.
Vulnerability Details
In sellProfits(address _profits), the fee value of ISwapRouter.ExactInputSingleParams is always 3000, if fee of the _profits / WETH Uniswap pool is not 3000, ISwapRouter is unable to find the pool and transaction will fail as pool address is 0.
(int256 amount0, int256 amount1) =
getPool(tokenIn, tokenOut, fee).swap(
recipient,
zeroForOne,
amountIn.toInt256(),
sqrtPriceLimitX96 == 0
? (zeroForOne ? TickMath.MIN_SQRT_RATIO + 1 : TickMath.MAX_SQRT_RATIO - 1)
: sqrtPriceLimitX96,
abi.encode(data)
);
function getPool(
address tokenA,
address tokenB,
uint24 fee
) private view returns (IUniswapV3Pool) {
return IUniswapV3Pool(PoolAddress.computeAddress(factory, PoolAddress.getPoolKey(tokenA, tokenB, fee)));
}
function computeAddress(address factory, PoolKey memory key) internal pure returns (address pool) {
require(key.token0 < key.token1);
pool = address(
uint256(
keccak256(
abi.encodePacked(
hex'ff',
factory,
keccak256(abi.encode(key.token0, key.token1, key.fee)),
POOL_INIT_CODE_HASH
)
)
)
);
}
Impact
Tokens can't be swapped for WETH.
Tools Used
Manual Review
Recommendations
fee should be included in the tx's calldata and passed as a parameter to the sellProfits(address _profits) method.
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
70628
USDC / LOC
18,000 USDC
2,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.