UniV3 Adaptor vulnerability retrospective

On Wednesday March 8 2023, the Sommelier team discovered an exploitable issue with the UniV3Adaptor contract in the cellar. This vulnerability was discovered as part of ongoing security reviews that take place without our primary auditor Macro. This issue has been mitigated in production on Real Yield USD. No funds were at risk of theft from this vulnerability.

The vulnerability that was discovered enabled an attacker to massively increase the gas costs of internal accounting functions used in deposits, withdrawals and rebalances within the Cellar contract. To exploit the vulnerability, the attacker would have to create many low liquidity uniswap LP positions in pools used by the strategy. Each of these new positions would add to cost of the totalAssets() function call.

Mitigation:

Upon discovering and validating this vulnerability, the smart contract team informed Seven Seas of the mitigation plan. This plan involved directing the protocol to immediately exit all funds from UniV3 and sending a message to remove all tracked uniV3 positions.

In collaboration with Macro, we developed an updated UniV3 adapter that tracks only positions created internally by the protocol. The new adapter has the added benefit of increased gas efficiency for Cellar users. The updated adapter can be found here.

The Sommelier validators deployed a new version of the steward application for validators that provide limited access to Seven Seas to setup the new UniV3 adapter in Real Yield USD and will block all calls to the vulnerable adapter in the future. See the change to Steward here:

Learning:

This vulnerability places future emphasis on the validation of future adapters that we avoid building systems where external entities can add positions whose value will be tracked by the Cellar in totalAssets calls. We should look at techniques for detecting this surface area in our test and audit process.

1 Like