MorpheusAI
MorpheusAI
Foundry
22,500 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

8 lows for mocks

pontifex

L-1/8. The WStETHMock.wrap function returns stETHAmount_ variable instead of wstETHAmount

Relevant GitHub Links

https://github.com/Cyfrin/2024-01-Morpheus/blob/07c900d22073911afa23b7fa69a4249ab5b713c8/contracts/mock/tokens/WStETHMock.sol#L26

Summary

The WStETHMock.wrap function should return wstETHAmount, but returns a received stETHAmount_ variable. This inconsistency with the original function can cause issues with test improvements.

Vulnerability Details

The original wrap function returns wstETHAmount:

function wrap(uint256 _stETHAmount) external returns (uint256) {
require(_stETHAmount > 0, "wstETH: can't wrap zero stETH");
uint256 wstETHAmount = stETH.getSharesByPooledEth(_stETHAmount);
_mint(msg.sender, wstETHAmount);
stETH.transferFrom(msg.sender, address(this), _stETHAmount);
return wstETHAmount;
}

https://etherscan.io/token/0x7f39c581f595b53c5cb19bd0b3f8da6c935e2ca0#code
The WStETHMock.wrap function returns stETHAmount_:

function wrap(uint256 stETHAmount_) external returns (uint256) {
require(stETHAmount_ > 0, "wstETH: can't wrap zero stETH");
_mint(msg.sender, stETHAmount_);
stETH.transferFrom(msg.sender, address(this), stETHAmount_);
return stETHAmount_;
}

Impact

Inconsistency with the original function case issues with test improvements.

Tools used

Manual Review

Recommendations

Consider announcing and returning the wstETHAmount variable.

L-2/8. The SwapRouterMock.exactInputSingle function returns params_.amountIn variable instead of amountOut

Relevant GitHub Links

https://github.com/Cyfrin/2024-01-Morpheus/blob/07c900d22073911afa23b7fa69a4249ab5b713c8/contracts/mock/SwapRouterMock.sol#L12

Summary

The SwapRouterMock.exactInputSingle function should return amountOut, but returns a received params_.amountIn variable. This inconsistency with the original function can cause issues with test improvements.

Vulnerability Details

The original exactInputSingle function returns amountOut:

function exactInputSingle(ExactInputSingleParams calldata params)
external
payable
override
checkDeadline(params.deadline)
returns (uint256 amountOut)
{

https://github.com/Uniswap/v3-periphery/blob/697c2474757ea89fec12a4e6db16a574fe259610/contracts/SwapRouter.sol#L120
The SwapRouterMock.exactInputSingle function returns params_.amountIn

function exactInputSingle(ISwapRouter.ExactInputSingleParams calldata params_) external returns (uint256) {
IERC20(params_.tokenIn).transferFrom(msg.sender, address(this), params_.amountIn);
IERC20(params_.tokenOut).transfer(params_.recipient, params_.amountIn);
return params_.amountIn;
}

Impact

Inconsistency with the original function case issues with test improvements.

Tools used

Manual Review

Recommendations

Consider announcing and returning the amountOut variable.

L-3/8. The SwapRouterMock.exactInputSingle function does not revert if tokenIn == tokenOut

Relevant GitHub Links

https://github.com/Cyfrin/2024-01-Morpheus/blob/07c900d22073911afa23b7fa69a4249ab5b713c8/contracts/mock/SwapRouterMock.sol#L8-L12

Summary

The SwapRouterMock.exactInputSingle function does not revert if tokenIn == tokenOut. This invariant can not be checked.

Vulnerability Details

There is an revert in the execution flow of the original function:

function computeAddress(address factory, PoolKey memory key) internal pure returns (address pool) {
require(key.token0 < key.token1);

https://github.com/Uniswap/v3-periphery/blob/697c2474757ea89fec12a4e6db16a574fe259610/contracts/libraries/PoolAddress.sol#L33-L34

Impact

The tokenIn == tokenOut invariant can not be checked.

Tools used

Manual Review

Recommendations

Consider adding the corresponding check.

L-4/8. The SwapRouterMock.exactInputSingle function does not check deadline

Relevant GitHub Links

https://github.com/Cyfrin/2024-01-Morpheus/blob/07c900d22073911afa23b7fa69a4249ab5b713c8/contracts/mock/SwapRouterMock.sol#L8-L12

Summary

The SwapRouterMock.exactInputSingle function does not check the deadline with checkDeadLine. This invariant can not be checked.

Vulnerability Details

The original exactInputSingle function has the checkDeadline modifier:

function exactInputSingle(ExactInputSingleParams calldata params)
external
payable
override
checkDeadline(params.deadline)
returns (uint256 amountOut)
{

https://github.com/Uniswap/v3-periphery/blob/697c2474757ea89fec12a4e6db16a574fe259610/contracts/SwapRouter.sol#L119

Impact

The incorrect deadline invariant can not be checked.

Tools used

Manual Review

Recommendations

Consider adding the corresponding check.

L-5/8. The SwapRouterMock.exactInputSingle function does not check amountOut >= params.amountOutMinimum

Relevant GitHub Links

https://github.com/Cyfrin/2024-01-Morpheus/blob/07c900d22073911afa23b7fa69a4249ab5b713c8/contracts/mock/SwapRouterMock.sol#L8-L12

Summary

The SwapRouterMock.exactInputSingle function does not check amountOut >= params.amountOutMinimum. This invariant can not be checked.

Vulnerability Details

The original exactInputSingle function has the amountOut >= params.amountOutMinimum require:

function exactInputSingle(ExactInputSingleParams calldata params)
...
require(amountOut >= params.amountOutMinimum, 'Too little received');
}

https://github.com/Uniswap/v3-periphery/blob/697c2474757ea89fec12a4e6db16a574fe259610/contracts/SwapRouter.sol#L128

Impact

The insufficient amountOut invariant can not be checked.

Tools used

Manual Review

Recommendations

Consider adding the corresponding check.

L-6/8. The SNonfungiblePositionManagerMock.increaseLiquidity function does not check deadline

Relevant GitHub Links

https://github.com/Cyfrin/2024-01-Morpheus/blob/07c900d22073911afa23b7fa69a4249ab5b713c8/contracts/mock/NonfungiblePositionManagerMock.sol#L7-L9

Summary

The SNonfungiblePositionManagerMock.increaseLiquidity function does not check the deadline with checkDeadLine. This invariant can not be checked.

Vulnerability Details

The original increaseLiquidity function has the checkDeadline modifier:

function increaseLiquidity(IncreaseLiquidityParams calldata params)
external
payable
override
checkDeadline(params.deadline)
returns (
{

https://github.com/Uniswap/v3-periphery/blob/697c2474757ea89fec12a4e6db16a574fe259610/contracts/NonfungiblePositionManager.sol#L202

Impact

The incorrect deadline invariant can not be checked.

Tools used

Manual Review

Recommendations

Consider adding the corresponding check.

L-7/8. The SNonfungiblePositionManagerMock.increaseLiquidity function does not check amount0 >= params.amount0Min && amount1 >= params.amount1Min

Relevant GitHub Links

https://github.com/Cyfrin/2024-01-Morpheus/blob/07c900d22073911afa23b7fa69a4249ab5b713c8/contracts/mock/SwapRouterMock.sol#L8-L12

Summary

The SNonfungiblePositionManagerMock.increaseLiquidity function does not check amount0 >= params.amount0Min && amount1 >= params.amount1Min. This invariant can not be checked.

Vulnerability Details

The execution flow of the original function has the amount0 >= params.amount0Min && amount1 >= params.amount1Min require:

require(amount0 >= params.amount0Min && amount1 >= params.amount1Min, 'Price slippage check');

https://github.com/Uniswap/v3-periphery/blob/697c2474757ea89fec12a4e6db16a574fe259610/contracts/base/LiquidityManagement.sol#L88

Impact

The max price slippage invariant can not be checked.

Tools used

Manual Review

Recommendations

Consider adding the corresponding check.

L-8/8. The SNonfungiblePositionManagerMock.increaseLiquidity function does not revert if the tokenId is incorrect

Relevant GitHub Links

https://github.com/Cyfrin/2024-01-Morpheus/blob/07c900d22073911afa23b7fa69a4249ab5b713c8/contracts/mock/SwapRouterMock.sol#L8-L12

Summary

The SNonfungiblePositionManagerMock.increaseLiquidity function does not does not revert if the tokenId is incorrect. This invariant can not be checked.

Impact

The incorrect tokenId invariant can not be checked.

Tools used

Manual Review

Recommendations

Consider adding the corresponding check.

Updates

Lead Judging Commences

inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

SwapRouterMock/NonfungiblePositionManagerMock doesn't take into account prices or token pairs or any traditional protection mechanisms of Uniswap

WStETHMock.wrap not properly implemented compared to original

0x11singh99 Auditor
almost 2 years ago
inallhonesty Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

WStETHMock.wrap not properly implemented compared to original

SwapRouterMock/NonfungiblePositionManagerMock doesn't take into account prices or token pairs or any traditional protection mechanisms of Uniswap

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.