Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No way for governance to properly update feeProtocolNum and feeProtocolDen #7

Closed
howlbot-integration bot opened this issue Nov 4, 2024 · 3 comments
Closed

No way for governance to properly update feeProtocolNum and feeProtocolDen #7

howlbot-integration bot opened this issue Nov 4, 2024 · 3 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working primary issue Highest quality submission among a set of duplicates 🤖_primary AI based primary recommendation sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue sufficient quality report This report is of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@howlbot-integration
Copy link

Lines of code

https://github.com/ronin-chain/katana-v3-contracts/blob/03c80179e04f40d96f06c451ea494bb18f2a58fc/src/core/KatanaV3Factory.sol#L105
https://github.com/ronin-chain/katana-v3-contracts/blob/03c80179e04f40d96f06c451ea494bb18f2a58fc/src/core/KatanaV3Factory.sol#L123
https://github.com/ronin-chain/katana-v3-contracts/blob/03c80179e04f40d96f06c451ea494bb18f2a58fc/src/core/KatanaV3Pool.sol#L253
https://github.com/ronin-chain/katana-v3-contracts/blob/03c80179e04f40d96f06c451ea494bb18f2a58fc/src/core/KatanaV3Pool.sol#L261-L262

Vulnerability details

Proof of Concept

feeProtocolNum and feeProtocolDen cannot be updated in slot0 struct if needed by pool governance due to an equivalent function not being available, and if done through factory, will not register in the struct leading to operations being conducted with stale parameters.

There's no equivalent function to update the feeProtocolAmounts causing that feeProtocolNum and feeProtocolDen cannot be directly updated in the pool (unlike can be done in uniswap).

Although, KatanaV3Factory has the enableFeeAmount which allows the owner to set, or potentially update the feeProtocolNum and feeProtocolDen parameters,

  function _enableFeeAmount(uint24 fee, int24 tickSpacing, uint8 feeProtocolNum, uint8 feeProtocolDen) private {
    feeAmountTickSpacing[fee] = tickSpacing;
>>  feeAmountProtocol[fee] = Fraction(feeProtocolNum, feeProtocolDen);
    emit FeeAmountEnabled(fee, tickSpacing, feeProtocolNum, feeProtocolDen);
  }

the update, while registered in the factory will not be updated in the slot0 struct and as a result, pool operations will still be conducted based on the previous stale feeProtocolNum and feeProtocolDen.

Recommended Mitigation Steps

Add a relevant governance function to update the feeAmountProtocol in slot0 based on the enabled feeAmount. Or introduce a stand-alone function similar to uniswap's setFeeProtocol

Assessed type

Context
@howlbot-integration howlbot-integration bot added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value 🤖_primary AI based primary recommendation bug Something isn't working primary issue Highest quality submission among a set of duplicates sufficient quality report This report is of sufficient quality labels Nov 4, 2024
howlbot-integration bot added a commit that referenced this issue Nov 4, 2024
@howlbot-integration
inh3l issue #7
f8b03f7
@khangvv
Copy link

khangvv commented Nov 4, 2024

For clarity, we removed the setFeeProtocol function from Uniswap, as we moved the fee tier enablement feature to the Factory, determined before pool deployments. In the updated code, enableFeeAmount is intended only to set new fee tiers for future pools and does not affect any deployed pools (see reference).

If you have specific concerns about removing setFeeProtocol and the potential risks, please leave an update comment.

@khangvv khangvv added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label Nov 4, 2024
@alex-ppg
Copy link

The submission states that it is not possible to retroactively change the fee imposed on a particular pool once it has been established. This behavior is in line with the business requirements of the current system and I do not envision any vulnerability arising from it.

@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Nov 11, 2024
@c4-judge
Copy link

alex-ppg marked the issue as unsatisfactory:
Invalid

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working primary issue Highest quality submission among a set of duplicates 🤖_primary AI based primary recommendation sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue sufficient quality report This report is of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alex-ppg @c4-judge @khangvv