🌊Underflow Vulnerability in Uniswap V3 Position Fee Growth Calculations

Overview of the Vulnerability

In Uniswap V3, liquidity providers earn fees as trading occurs within the price range they provide liquidity for. These fees are tracked using fee growth variables, such as feeGrowthInside0X128 and feeGrowthInside1X128. However, due to the way fee growth is calculated, underflow can occur when subtracting values during fee calculations, particularly when using Solidity 0.8+, which automatically prevents underflows. This protection, while valuable for preventing security issues, can inadvertently cause critical operations to revert if the underflow is not explicitly handled.

This type of vulnerability becomes problematic in operations that rely on fee growth calculations, such as liquidations, where an underflow can cause the entire operation to fail. In this tutorial, we’ll explore the concept of underflow in fee growth calculations, its impact, and how to mitigate this issue in protocols interacting with Uniswap V3.

---

How the Vulnerability Occurs

1. Fee Growth Calculation: In Uniswap V3, liquidity providers earn fees over time as trades occur within their liquidity range. The fees are tracked using variables such as feeGrowthInside0X128 and feeGrowthInside1X128. These variables represent the cumulative growth of fees inside a specific tick range.

2. Subtraction and Underflow: When calculating fee growth, the protocol subtracts values associated with lower and upper ticks from global fee growth. If the result of this subtraction is negative, underflow occurs. In older versions of Solidity, this would result in a wrap-around, but in Solidity 0.8+ underflow is prevented, and the operation will revert.

3. Impact of Underflow: In protocols that rely on Uniswap V3’s fee growth calculations for critical operations—such as liquidations, collateral calculations, or closing positions—this underflow can cause the entire transaction to revert unexpectedly. This becomes particularly problematic when there is low liquidity or when using fee tiers with smaller fees, as the fee growth values are smaller and more susceptible to underflow.

---

Key Concepts and Vulnerability Pattern

1. Fee Growth Variables: Fee growth variables in Uniswap V3 track the accumulation of fees inside specific tick ranges. These include:

   • feeGrowthInside0X128: Tracks the fee growth for token0.

   • feeGrowthInside1X128: Tracks the fee growth for token1.

   These values are updated as trades occur within the pool, and they are critical for calculating a liquidity provider's share of fees when they withdraw or adjust their position.

2. Underflow Scenario: When calculating fee growth, the protocol subtracts the values of lowerFeeGrowthOutside and upperFeeGrowthOutside from the global fee growth values. If the lower tick’s fee growth is higher than the upper tick’s, or if the pool is in a specific state, this subtraction can result in a negative value, causing an underflow and triggering a revert in Solidity 0.8+.

3. Reverting Operations: Since Solidity 0.8+ includes built-in protections against underflow and overflow, any operation that results in a negative value will cause the transaction to revert. This is especially problematic for operations that are time-sensitive or critical, such as liquidations or fee withdrawals.

---

Impact of the Vulnerability

• Failed Liquidations: If the protocol relies on fee growth calculations to determine whether a position can be liquidated, underflow in these calculations can cause the liquidation process to revert. This may prevent liquidators from closing risky positions, leading to higher risk exposure for the protocol.

• Blocked Withdrawals: If a liquidity provider tries to withdraw their fees and an underflow occurs during the fee growth calculation, the withdrawal transaction will fail, leaving the liquidity provider unable to claim their earned fees.

• Protocol Instability: Reverting transactions due to underflows can cause operational disruptions in the protocol, leading to inefficiencies and user dissatisfaction. It may also introduce vulnerabilities if attackers can intentionally trigger reverts in critical functions like liquidations or position adjustments.

---

Mitigation Strategies for Underflow Vulnerabilities

1. Use Unchecked Blocks for Subtraction

One of the primary ways to mitigate this issue is to use unchecked blocks when performing subtraction in fee growth calculations. This allows the subtraction to occur without triggering an underflow check, thus preventing the transaction from reverting.

• How It Works: Use the unchecked keyword in Solidity 0.8+ to bypass the built-in underflow protection for specific operations where the underflow is expected or can be handled in other ways.

Conclusion

Underflow vulnerabilities in Uniswap V3’s fee growth calculations can cause critical operations to revert, leading to failed liquidations, blocked fee withdrawals, and protocol instability. Since Solidity 0.8+ automatically prevents underflows, protocols that rely on Uniswap V3’s fee growth variables must take extra care to handle these calculations properly.

By using unchecked blocks for specific operations, implementing fallback logic for underflow conditions, and thoroughly testing for edge cases, developers can mitigate the risk of underflow and ensure that their protocol operates smoothly and securely. Understanding these nuances is critical for building efficient, robust decentralized applications that interact with Uniswap V3.