Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG]: investigate overflow safety of donate and feeGrowthGlobal #60

Open
moodysalem opened this issue Apr 22, 2022 · 3 comments
Open

[BUG]: investigate overflow safety of donate and feeGrowthGlobal #60

moodysalem opened this issue Apr 22, 2022 · 3 comments
Assignees
@hensha256

Comments

@moodysalem
Copy link
Contributor

it seems like it's possible that donate could allow overflowing fees earned to type(uint256).max, but needs investigation
@moodysalem moodysalem reopened this Apr 27, 2022
@hensha256
Copy link
Contributor

Okay i think this is possible in very extreme circumstances. I decided to start experimenting using the numbers on a super low liquidity v3 pool (because low liquidity => tiny denominator in the code). The one I played around with is JEJUDOGE ETH

Assuming liquidity 1 for simplicity of a low liquidity pool

JEJUDOGE has the following:

  • price: $0.000000000300651
  • feeGrowthGlobalX128: 2430461034183898847299003516607034091943925
  • decimals: 18

Lets say instead of decimals 18 we have 24, which seems a reasonable number of decimals.

With $1million, someone can:

  • Buy 1000000*(10^24)/0.000000000300651 JEJUDOGE tokens, and call donate
  • The maths would be:
amount * (2^128) / liquidity
= (1000000*(10^24)/0.000000000300651) * (2^128) / 1
= 1.13182 E78

Given that type(uint256).max is 1.15792 E77, this is an overflow.

This is of course a slightly extreme circumstance (very cheap token/high decimals, and very low liquidity), but its definitely within the realms of possibility.

@hensha256 hensha256 mentioned this issue Jun 7, 2022
Closed
@moodysalem
Copy link
Contributor Author

moodysalem commented Jun 7, 2022
edited
Loading

fee growth global is meant to overflow, i.e. overflow of fee growth global is not itself broken

in the example given, you're buying ~2^131 tokens, which violates the assumption that any token has <2^128 total supply (see https://www.wolframalpha.com/input?i=log+base+2+of+%281000000*%2810%5E24%29%2F0.000000000300651%29)

the issue is, given the total supply constraint of type(uint128).max, is it possible to overflow the fees earned computation for any position? or more importantly underflow the fees earned, so that the position can collect more fees than it has earned

@NoahZinsmeister
Copy link
Contributor

one more note: because donate only increments in-memory deltas, it might be possible to trigger undesired behavior like what moody described by donating an amount that isn't actually possible, and manipulating overflows s.t. they don't have to actually pay by the end of the lock.

another type of mitigation would be to only accept smaller uints in donate (uint128?) so that it'd be prohibitively gas-expensive to exploit an overflow

@hensha256 hensha256 changed the title investigate overflow safety of donate and feeGrowthGlobal [BUG]: investigate overflow safety of donate and feeGrowthGlobal Jun 12, 2023
@snreynolds snreynolds added the p0 Very important to fix label Oct 12, 2023
@hensha256 hensha256 removed the p0 Very important to fix label Mar 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hensha256 hensha256

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Overflow bug in donate Uniswap/v4-core
4 participants
@NoahZinsmeister @moodysalem @snreynolds @hensha256