MorpheusAI
MorpheusAI
Foundry
22,500 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

`L2TokenReceiver` contract doesn't have a mechanism to provide liquidity to any `wstETH` Uniswap pool

0xhals

Summary

L2TokenReceiver contract doesn't have a mechanism to provide liquidity to any wstETH Uniswap pool, which will render the contract unusable and the received wstETH tokens stuck/unutilized.

Vulnerability Details

  • L2TokenReceiver contract is meant to receive the bridged overPlus staked stETH on L1, and utilizing them to farm yield by providing them to a wstETH Uniswap pool.

  • This contract has three functions to interact with Uniswap:

    1. increaseLiquidityCurrentRange function that calls Uniswap NonfungiblePositionManager contract to increase liquidity of the created positions.

    2. swap function that interacts with Uniswap SwapRouter to swap contract tokens.

    3. collectFees function that interacts with Uniswap NonfungiblePositionManager to close created positions.

  • But it was noticed that L2TokenReceiver contract doesn't have any mechanism to provide liquidity to any of Uniswap pools (creating a position).

Impact

This will render the contract unusable/inefficient, as it will not be able to utilize the received overplus tokens from the L1 Distribution contract.

Proof of Concept

L2TokenReceiver contract

contract L2TokenReceiver is IL2TokenReceiver, OwnableUpgradeable, UUPSUpgradeable {

Tools Used

Manual Review.

Recommendations

Add a function that enables the contract owner from providing liquidity to a selected Uniswap pool (creating a position).

Updates

Lead Judging Commences

inallhonesty Lead Judge
over 1 year ago
inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.