Remediation of Potential Exploit

Exploit #1: Manipulating LP position and exploit the delayed oracle price in LP value calculation for profit

Refer here for the detail on an actual case of such exploit. Even though such attack was performed via Uniswap V2 LP token, similar attack logic could still apply to V3 LP. Essentially, the attack is based on the inconsistency between the price implied by the real-time numbers of the two assets in the LP pool, which is subject to manipulation, and the oracle price of the two assets used to multiply the numbers of the two assets and calculate the LP value.

Remediation: Unifying the price used in the calculation of the LP position and LP value

There are essentially two prices in this context:

  1. Pool-implied price denotes the price implied by the number of the two assets in the LP pool. In Uniswap V2 setting, pool-implied price equals to the ratio between the numbers of the two assets, i.e. P=xyP=\frac{x}{y}, where xx and yy denote the numbers of asset X and Y in the LP pool respectively. Uniswap V3 setting is different, but the pool-implied price is still a function of xx and yy.

  2. Oracle price denotes the price feed obtained from oracles like Chainlink. As the Chainlink price come from contributors who obtain the price from different sources (i.e. DEXes and CEXes), the oracle price is less likely to be manipulated than the pool-implied price.

Therefore, to unify the price used in the calculation of the LP position (e.q. 3 and 4 on Uniswap V3 LP Token Analyzer page) and LP value (eq. 1 on Dynamics and Stability of Value of Uniswap V3 LP Tokens page), we use oracle price in both cases. From an implementation perspective, we:

  1. Use the oracle price to derive the numbers of the two assets in the LP position; then

  2. Again use the oracle price to multiply the numbers of the two assets and derive the value of the LP position.

Exploit #2: DOS by exploiting block gas limit

Ethereum has a block gas limit, which means the amount of computation that can be done in the block is limited. This can lead to a potential exploit where exploiters cause certain actions to exceed the gas limit which can result in a denial of service (DOS).

The dynamic LP token pricing, LTV and liquidation threshold can cause certain actions such as liquidation to consume higher gas since the smart contract will need to iterate over these tokens and calculate the values for each one individually. And if the number of supplied NFTs per address is high, liquidating them could require more gas than what is allowed in one block. therefore, these LP tokens could never be liquidated.


One way to protect against this from happening is to set a limit to how many ERC721 tokens can be supplied to the protocol to keep the calculation within the block limit.

Last updated