Brisk Pine Camel Incorrect Swap Direction Due To Lexicographic Token Comparison In VelodromeExecutor

Introduction

This article delves into a critical vulnerability discovered in the VelodromeExecutor contract, dubbed "Brisk Pine Camel." This incorrect swap direction issue arises from a flawed implementation of token comparison during swap execution, potentially leading to failed transactions, unexpected outputs, and financial losses. The core problem lies in the contract's reliance on a simple lexicographic comparison of token addresses to determine the swap direction, a method that doesn't accurately reflect the underlying pool's token order. This article aims to provide a comprehensive understanding of the vulnerability, its root cause, potential impact, and a recommended mitigation strategy.

Summary of the Vulnerability

The VelodromeExecutor contract, responsible for executing swaps on Velodrome v2, makes a critical error in determining the swap direction. It uses a lexicographic comparison of the fromToken and toToken addresses, as shown in the following code snippet:

bool zeroForOne = fromToken < toToken;

This approach assumes that the numerical order of token addresses corresponds to the token order within the Velodrome pool (token0 and token1). However, this assumption is flawed. The correct swap direction must be determined by comparing the fromToken to the actual pool token order, not just by comparing the token addresses directly. This seemingly small oversight can have significant consequences, including incorrect price limits, failed swaps, and unexpected output amounts.

Root Cause Analysis

The root cause of this vulnerability stems from a misunderstanding of how Uniswap-style Automated Market Makers (AMMs) handle token ordering. While AMMs like Velodrome internally sort tokens lexicographically as token0 and token1 within the pool contract, the swap direction must be determined based on which token is being sold relative to the pool's established token order. The contract's current implementation bypasses this crucial step, leading to misinterpretations of the swap direction. The following code excerpt highlights the problematic logic:

IVelodromeRouter(arg.router).exactInputSingle(
    IVelodromeRouter.ExactInputSingleParams({
        tokenIn: fromToken,
        tokenOut: toToken,
        tickSpacing: arg.tickSpacing,
        recipient: address(this),
        deadline: block.timestamp,
        amountIn: fromTokenAmount,
        amountOutMinimum: 0,
        sqrtPriceLimitX96: arg.sqrtX96 == 0
            ? (zeroForOne ? UniswapV3Lib.MIN_SQRT_RATIO + 1 : UniswapV3Lib.MAX_SQRT_RATIO - 1)
            : arg.sqrtX96
    })
);

Here, the zeroForOne boolean, determined by the faulty address comparison, directly influences the sqrtPriceLimitX96 value. An incorrect zeroForOne value leads to an incorrect sqrtPriceLimitX96, potentially causing the swap to fail or execute at an unfavorable price.

Impact of the Vulnerability

The impact of this vulnerability can be substantial, potentially affecting the functionality and reliability of the VelodromeExecutor contract. The miscalculation of the zeroForOne flag, stemming from the naive lexicographical comparison, can lead to several adverse outcomes:

• Incorrect Price Limit: The sqrtPriceLimitX96 value, crucial for setting the acceptable price range for the swap, may be set towards the wrong boundary (either MIN_SQRT_RATIO or MAX_SQRT_RATIO). This can cause the swap to revert or execute far outside the intended price range, leading to significant slippage and financial loss for the user.
• Swap Failure: If the calculated price limit is incompatible with the current market price, the swap will fail entirely. The transaction will revert, preventing the execution of the trade and wasting gas fees.
• Unexpected Output Amount: Even if the swap doesn't fail outright, an incorrect price limit can lead to an execution at a significantly different price than expected. This can result in the user receiving a lower output amount than anticipated, impacting the efficiency of their trade.

In essence, this vulnerability undermines the fundamental purpose of the VelodromeExecutor contract, which is to facilitate efficient and reliable swaps on the Velodrome v2 platform. The potential for financial loss and transaction failures makes this a high-severity issue.

Mitigation Strategy

To mitigate this vulnerability, the VelodromeExecutor contract needs to implement a more accurate method for determining the swap direction. Instead of relying on a simple lexicographic comparison of token addresses, the contract should fetch the token0 and token1 addresses directly from the pool contract and compare the fromToken against them. The following code snippet illustrates the recommended fix:

address token0 = IUniswapV3Pool(pool).token0();
bool zeroForOne = (fromToken == token0);

This approach ensures that the swap direction is determined based on the actual token order within the pool, eliminating the risk of misinterpretation caused by the flawed address comparison. By implementing this fix, the VelodromeExecutor contract can ensure the accurate execution of swaps and prevent the potential for financial losses.

Detailed Explanation and Technical Aspects

To further understand the technical aspects of this vulnerability, let's delve deeper into the workings of Uniswap-style AMMs and the significance of the sqrtPriceLimitX96 parameter. Uniswap V3 and its derivatives, like Velodrome, utilize a concentrated liquidity model, allowing liquidity providers to specify price ranges within which their liquidity will be active. This approach enhances capital efficiency but also introduces complexities in swap execution.

The sqrtPriceLimitX96 parameter plays a crucial role in controlling the price slippage during a swap. It defines the maximum (or minimum) price at which the swap is allowed to execute. If the market price reaches the limit before the entire input amount is swapped, the transaction will revert, preventing the user from receiving an unexpectedly low output amount. The correct setting of sqrtPriceLimitX96 is therefore paramount for successful swap execution.

In the vulnerable code, the zeroForOne flag, which dictates the direction of the swap, directly influences the calculation of sqrtPriceLimitX96. If zeroForOne is incorrectly determined, the sqrtPriceLimitX96 value will be set towards the wrong boundary, either MIN_SQRT_RATIO or MAX_SQRT_RATIO. This can lead to several scenarios:

1. Price Limit Too Restrictive: If the sqrtPriceLimitX96 is set too close to the current market price in the wrong direction, the swap might revert prematurely, even if there is sufficient liquidity in the pool. This is because the swap will hit the price limit before consuming the entire input amount.
2. Price Limit Too Permissive: Conversely, if the sqrtPriceLimitX96 is set too far from the current market price, the swap might execute at an unfavorable price, resulting in significant slippage and a lower output amount for the user. This scenario is particularly concerning in volatile market conditions.

The vulnerability's impact extends beyond individual swaps. If a large number of swaps are executed with an incorrect sqrtPriceLimitX96, it can distort the overall market price and potentially lead to cascading effects. This underscores the importance of addressing this vulnerability promptly and thoroughly.

The recommended mitigation strategy, which involves fetching token0 and token1 from the pool and comparing the fromToken against them, effectively resolves this issue. This approach ensures that the zeroForOne flag accurately reflects the swap direction relative to the pool's internal token order, leading to a correctly calculated sqrtPriceLimitX96 and reliable swap execution.

Conclusion

The Brisk Pine Camel vulnerability highlights the importance of meticulous attention to detail in smart contract development. A seemingly small error in logic, such as the incorrect comparison of token addresses, can have significant consequences, leading to transaction failures and financial losses. The VelodromeExecutor contract's reliance on a lexicographic comparison of token addresses to determine the swap direction is a critical flaw that needs to be addressed.

The recommended mitigation strategy, which involves fetching token0 and token1 from the pool and comparing the fromToken against them, provides a robust solution to this vulnerability. By implementing this fix, the VelodromeExecutor contract can ensure the accurate execution of swaps, protect users from financial losses, and maintain the integrity of the Velodrome v2 platform. This case serves as a valuable lesson for smart contract developers, emphasizing the need for thorough testing, rigorous code reviews, and a deep understanding of the underlying protocols and mechanisms.

It is crucial to emphasize the importance of security audits in identifying and mitigating vulnerabilities like Brisk Pine Camel. Regular audits by experienced professionals can help uncover hidden flaws and ensure the reliability and security of decentralized applications. By proactively addressing potential issues, developers can build trust within the community and foster the widespread adoption of blockchain technology.