Uniswap V3: sqrtPriceX96

Did you know that UniswapV3 sqrtPriceX96 can cause an overflow in your protocol if not handled correctly?

That problem was found in the Goodentry protocol. Let's see how can that happen.

poolMatchesOracle is used to compare price calculated from uniswap v3 pool and chainlink oracle and decide whether rebalance should happened or not. priceX8 will be holding price information calculated using sqrtPriceX96 when operations is performed, it will try to scale down using 2 12. However, the scale down is not enough and overflow can still happened here:

priceX8 = priceX8 * uint(sqrtPriceX96 / 2 12) 2 * 1e8 / 2**168;

This problem can happen because of high sqrtPriceX96 values on some pools, such as WBTC/ETH, WBTC/DAI. In the report you can find a POC with a WBTC/WETH pool example:

As a solution you can use a scaled down sqrtPriceX96 that was used in the Uniswap library. For example, instead of

priceX8 = priceX8 * uint(sqrtPriceX96 / 2 12) 2 * 1e8 / 2**168;

use:

priceX8 = priceX8 * (uint(sqrtPriceX96) 2 / 2 ** 64) * 1e8 / 2**128;

A widely used implementation method is not always 100% safe!

Learn more with me!