# Underflow Vulnerability in Uniswap V3 Position Fee Growth Calculations **Overview of the Vulnerability** In **Uniswap V3**, liquidity providers earn fees as trading occurs within the price range they provide liquidity for. These fees are tracked using fee growth variables, such as `feeGrowthInside0X128` and `feeGrowthInside1X128`. However, due to the way fee growth is calculated, **underflow** can occur when subtracting values during fee calculations, particularly when using Solidity 0.8+, which automatically prevents underflows. This protection, while valuable for preventing security issues, can inadvertently cause critical operations to revert if the underflow is not explicitly handled. This type of vulnerability becomes problematic in operations that rely on fee growth calculations, such as **liquidations**, where an underflow can cause the entire operation to fail. In this tutorial, we’ll explore the concept of underflow in fee growth calculations, its impact, and how to mitigate this issue in protocols interacting with Uniswap V3. *** #### How the Vulnerability Occurs 1. **Fee Growth Calculation**: In Uniswap V3, liquidity providers earn fees over time as trades occur within their liquidity range. The fees are tracked using variables such as `feeGrowthInside0X128` and `feeGrowthInside1X128`. These variables represent the cumulative growth of fees inside a specific tick range. 2. **Subtraction and Underflow**: When calculating fee growth, the protocol subtracts values associated with lower and upper ticks from global fee growth. If the result of this subtraction is negative, **underflow** occurs. In older versions of Solidity, this would result in a wrap-around, but in Solidity 0.8+ underflow is prevented, and the operation will revert. 3. **Impact of Underflow**: In protocols that rely on Uniswap V3’s fee growth calculations for critical operations—such as liquidations, collateral calculations, or closing positions—this underflow can cause the entire transaction to revert unexpectedly. This becomes particularly problematic when there is low liquidity or when using fee tiers with smaller fees, as the fee growth values are smaller and more susceptible to underflow. *** #### Key Concepts and Vulnerability Pattern 1. **Fee Growth Variables**: Fee growth variables in Uniswap V3 track the accumulation of fees inside specific tick ranges. These include: * `feeGrowthInside0X128`: Tracks the fee growth for token0. * `feeGrowthInside1X128`: Tracks the fee growth for token1. These values are updated as trades occur within the pool, and they are critical for calculating a liquidity provider's share of fees when they withdraw or adjust their position. 2. **Underflow Scenario**: When calculating fee growth, the protocol subtracts the values of `lowerFeeGrowthOutside` and `upperFeeGrowthOutside` from the global fee growth values. If the lower tick’s fee growth is higher than the upper tick’s, or if the pool is in a specific state, this subtraction can result in a negative value, causing an underflow and triggering a revert in Solidity 0.8+. 3. **Reverting Operations**: Since Solidity 0.8+ includes built-in protections against underflow and overflow, any operation that results in a negative value will cause the transaction to revert. This is especially problematic for operations that are time-sensitive or critical, such as liquidations or fee withdrawals. *** #### Impact of the Vulnerability * **Failed Liquidations**: If the protocol relies on fee growth calculations to determine whether a position can be liquidated, underflow in these calculations can cause the liquidation process to revert. This may prevent liquidators from closing risky positions, leading to higher risk exposure for the protocol. * **Blocked Withdrawals**: If a liquidity provider tries to withdraw their fees and an underflow occurs during the fee growth calculation, the withdrawal transaction will fail, leaving the liquidity provider unable to claim their earned fees. * **Protocol Instability**: Reverting transactions due to underflows can cause operational disruptions in the protocol, leading to inefficiencies and user dissatisfaction. It may also introduce vulnerabilities if attackers can intentionally trigger reverts in critical functions like liquidations or position adjustments. *** #### Mitigation Strategies for Underflow Vulnerabilities **1. Use Unchecked Blocks for Subtraction** One of the primary ways to mitigate this issue is to use **unchecked blocks** when performing subtraction in fee growth calculations. This allows the subtraction to occur without triggering an underflow check, thus preventing the transaction from reverting. * **How It Works**: Use the `unchecked` keyword in Solidity 0.8+ to bypass the built-in underflow protection for specific operations where the underflow is expected or can be handled in other ways. #### Conclusion Underflow vulnerabilities in Uniswap V3’s fee growth calculations can cause critical operations to revert, leading to failed liquidations, blocked fee withdrawals, and protocol instability. Since Solidity 0.8+ automatically prevents underflows, protocols that rely on Uniswap V3’s fee growth variables must take extra care to handle these calculations properly. By using unchecked blocks for specific operations, implementing fallback logic for underflow conditions, and thoroughly testing for edge cases, developers can mitigate the risk of underflow and ensure that their protocol operates smoothly and securely. Understanding these nuances is critical for building efficient, robust decentralized applications that interact with Uniswap V3. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://zokyo-auditing-tutorials.gitbook.io/zokyo-tutorials/tutorial-40-uniswap-v3/underflow-vulnerability-in-uniswap-v3-position-fee-growth-calculations.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.