fix: Slippage, Tick Ranges, Attacks

Author: deluca-mike

src/MainnetController.sol

@@ -97,8 +97,9 @@ contract MainnetController is ReentrancyGuard, AccessControlEnumerable {
     }
 
     struct UniswapV4Limits {
-        int24 tickLowerMin;
-        int24 tickUpperMax;
+        int24  tickLowerMin;
+        int24  tickUpperMax;
+        uint24 maxTickRange;
     }
 
     /**********************************************************************************************/
@@ -135,7 +136,7 @@ contract MainnetController is ReentrancyGuard, AccessControlEnumerable {
         bool            isWhitelisted
     );
     event RelayerRemoved(address indexed relayer);
-    event UniswapV4TickLimitsSet(bytes32 indexed poolId, int24 tickLowerMin, int24 tickUpperMax);
+    event UniswapV4TickLimitsSet(bytes32 indexed poolId, int24 tickLowerMin, int24 tickUpperMax, uint24 maxTickRange);
 
     /**********************************************************************************************/
     /*** State variables                                                                        ***/
@@ -322,7 +323,8 @@ contract MainnetController is ReentrancyGuard, AccessControlEnumerable {
     function setUniswapV4TickLimits(
         bytes32 poolId,
         int24   tickLowerMin,
-        int24   tickUpperMax
+        int24   tickUpperMax,
+        uint24  maxTickRange
     )
         external nonReentrant
     {
@@ -332,10 +334,11 @@ contract MainnetController is ReentrancyGuard, AccessControlEnumerable {
 
         uniswapV4Limits[poolId] = UniswapV4Limits({
             tickLowerMin : tickLowerMin,
-            tickUpperMax : tickUpperMax
+            tickUpperMax : tickUpperMax,
+            maxTickRange : maxTickRange
         });
 
-        emit UniswapV4TickLimitsSet(poolId, tickLowerMin, tickUpperMax);
+        emit UniswapV4TickLimitsSet(poolId, tickLowerMin, tickUpperMax, maxTickRange);
     }
 
     /**********************************************************************************************/
@@ -650,14 +653,18 @@ contract MainnetController is ReentrancyGuard, AccessControlEnumerable {
         require(tickLower >= limits.tickLowerMin, "MC/tickLower-too-low");
         require(tickUpper <= limits.tickUpperMax, "MC/tickUpper-too-high");
 
+        require(
+            uint256(int256(tickUpper) - int256(tickLower)) <= limits.maxTickRange,
+            "MC/tickRange-too-wide"
+        );
+
         // NOTE: `maxSlippages` is a mapping from address to uint256, so we have to take the lower
         //       160 bits of the id. It is possible, but highly unlikely there is a collision.
         UniswapV4Lib.mintPosition({
             commonParams: UniswapV4Lib.CommonParams({
                 proxy       : address(proxy),
                 rateLimits  : address(rateLimits),
                 rateLimitId : LIMIT_UNISWAP_V4_DEPOSIT,
-                maxSlippage : maxSlippages[address(uint160(uint256(poolId)))],
                 poolId      : poolId
             }),
             tickLower  : tickLower,
@@ -686,7 +693,6 @@ contract MainnetController is ReentrancyGuard, AccessControlEnumerable {
                 proxy       : address(proxy),
                 rateLimits  : address(rateLimits),
                 rateLimitId : LIMIT_UNISWAP_V4_DEPOSIT,
-                maxSlippage : maxSlippages[address(uint160(uint256(poolId)))],
                 poolId      : poolId
             }),
             tokenId           : tokenId,
@@ -711,7 +717,6 @@ contract MainnetController is ReentrancyGuard, AccessControlEnumerable {
                 proxy       : address(proxy),
                 rateLimits  : address(rateLimits),
                 rateLimitId : LIMIT_UNISWAP_V4_WITHDRAW,
-                maxSlippage : maxSlippages[address(uint160(uint256(poolId)))],
                 poolId      : poolId
             }),
             tokenId    : tokenId,
@@ -736,7 +741,6 @@ contract MainnetController is ReentrancyGuard, AccessControlEnumerable {
                 proxy       : address(proxy),
                 rateLimits  : address(rateLimits),
                 rateLimitId : LIMIT_UNISWAP_V4_WITHDRAW,
-                maxSlippage : maxSlippages[address(uint160(uint256(poolId)))],
                 poolId      : poolId
             }),
             tokenId           : tokenId,

src/interfaces/UniswapV4.sol

@@ -12,7 +12,7 @@ interface IPositionManagerLike {
         uint256 tokenId
     ) external view returns (PoolKey memory poolKey, PositionInfo info);
 
-    function poolKeys(bytes25 poolId) external view returns (PoolKey memory poolKeys);
+    function poolKeys(bytes25 poolId) external view returns (PoolKey memory poolKey);
 
     function modifyLiquidities(bytes calldata unlockData, uint256 deadline) external payable;
 

src/libraries/UniswapV4Lib.sol

@@ -19,14 +19,12 @@ library UniswapV4Lib {
         address proxy;
         address rateLimits;
         bytes32 rateLimitId;
-        uint256 maxSlippage;
         bytes32 poolId;  // the PoolId of the Uniswap V4 pool
     }
 
     // NOTE: From https://docs.uniswap.org/contracts/v4/deployments
     address internal constant _PERMIT2          = 0x000000000022D473030F116dDEE9F6B43aC78BA3;
     address internal constant _POSITION_MANAGER = 0xbD216513d74C8cf14cf4747E6AaA6420FF64ee9e;
-    address internal constant _STATE_VIEW       = 0x7fFE42C4a5DEeA5b0feC41C94C136Cf115597227;
 
     /**********************************************************************************************/
     /*** Interactive Functions                                                                  ***/
@@ -259,12 +257,10 @@ library UniswapV4Lib {
         bytes        memory   actions,
         bytes[]      memory   params
     ) internal returns (uint256 rateLimitDecrease) {
-        _requireNonZeroMaxSlippage(commonParams);
-
         _approvePositionManager(commonParams.proxy, token0, amount0Max);
         _approvePositionManager(commonParams.proxy, token1, amount1Max);
 
-        // Get token balances before mint.
+        // Get token balances before liquidity increase.
         uint256 startingBalance0 = _getBalance(token0, commonParams.proxy);
         uint256 startingBalance1 = _getBalance(token1, commonParams.proxy);
 
@@ -277,23 +273,10 @@ library UniswapV4Lib {
             )
         );
 
-        // Get token balances after mint.
+        // Get token balances after liquidity increase.
         uint256 endingBalance0 = _getBalance(token0, commonParams.proxy);
         uint256 endingBalance1 = _getBalance(token1, commonParams.proxy);
 
-        // Ensure the amountMax is below the allowed worst case scenario (amount / maxSlippage).
-        require(
-            amount0Max * commonParams.maxSlippage <=
-            _clampedSub(startingBalance0, endingBalance0) * 1e18,
-            "MC/amount0Max-too-high"
-        );
-
-        require(
-            amount1Max * commonParams.maxSlippage <=
-            _clampedSub(startingBalance1, endingBalance1) * 1e18,
-            "MC/amount1Max-too-high"
-        );
-
         // Account for the theoretical possibility of receiving tokens when adding liquidity by
         // using a clamped subtraction.
         // NOTE: The limitation of this integration is the assumption that the tokens are valued
@@ -328,9 +311,7 @@ library UniswapV4Lib {
         bytes        memory   actions,
         bytes[]      memory   params
     ) internal returns (uint256 rateLimitDecrease) {
-        _requireNonZeroMaxSlippage(commonParams);
-
-        // Get token balances before mint.
+        // Get token balances before liquidity decrease.
         uint256 startingBalance0 = _getBalance(token0, commonParams.proxy);
         uint256 startingBalance1 = _getBalance(token1, commonParams.proxy);
 
@@ -343,28 +324,15 @@ library UniswapV4Lib {
             )
         );
 
-        // Get token balances after mint.
+        // Get token balances after liquidity decrease.
         uint256 endingBalance0 = _getBalance(token0, commonParams.proxy);
         uint256 endingBalance1 = _getBalance(token1, commonParams.proxy);
 
-        // Ensure the amountMin is above the allowed worst case scenario (amount * maxSlippage).
-        require(
-            amount0Min * 1e18 >= (endingBalance0 - startingBalance0) * commonParams.maxSlippage,
-            "MC/amount0Min-too-small"
-        );
-
-        require(
-            amount1Min * 1e18 >= (endingBalance1 - startingBalance1) * commonParams.maxSlippage,
-            "MC/amount1Min-too-small"
-        );
-
         // NOTE: The limitation of this integration is the assumption that the tokens are valued
         //       equally (i.e. 1.00000 USDC = 1.000000000000000000 USDS).
         rateLimitDecrease =
-            _getNormalizedBalance(token0, endingBalance0) +
-            _getNormalizedBalance(token1, endingBalance1) -
-            _getNormalizedBalance(token0, startingBalance0) -
-            _getNormalizedBalance(token1, startingBalance1);
+            _getNormalizedBalance(token0, endingBalance0 - startingBalance0) +
+            _getNormalizedBalance(token1, endingBalance1 - startingBalance1);
 
         // Perform rate limit decrease.
         IRateLimits(commonParams.rateLimits).triggerRateLimitDecrease(
@@ -396,10 +364,6 @@ library UniswapV4Lib {
         return IPositionManagerLike(_POSITION_MANAGER).poolKeys(bytes25(poolId));
     }
 
-    function _requireNonZeroMaxSlippage(CommonParams calldata commonParams) internal pure {
-        require(commonParams.maxSlippage != 0, "MC/maxSlippage-not-set");
-    }
-
     function _requirePoolIdMatch(bytes32 poolId, uint256 tokenId) internal view {
         ( PoolKey memory poolKey, ) = IPositionManagerLike(_POSITION_MANAGER).getPoolAndPositionInfo(tokenId);