Full Report
Gearbox is a composable leverage protocol. It allows a user to take leverage on collateral asset and use the borrowed funds through CreditAccount across DeFi. A common functionality for every lending and borrowing platform is a simple health check. This helps check is a users account is solvent or not. How do users get their funds? There are routers (adapters) for every protocol, such as Uniswap and Curve. There is a sanity check at the beginning of the router that parses the user input for what tokens to swap. On UniswapV3, this same information for the path is parsed as well. However, this parsing is done slightly differently from a byte array. Gearbox takes the byte array and parses the first 20 bytes as token A. It then takes the FINAL 20 bytes and parses this as token B. For Uniswap, it returns the first 20 bytes for token A, the next 3 bytes as the fee and the next 20 bytes as Token B. The big difference here is the parsing in token B because of the little fee in there! The author came up with the following payload: abi.encodePacked(WBTC, poolFee, WETH, DAI) Token A will always be WBTC. However, for Gearbox, token B will be DAI and Uniswap will see DAI. This discrepancy means that the health check for Gearbox can be bypassed. To launch this attack, the author performed the following steps: Deploy a fake token on Uniswap. Make the pool 1fake=1WETH=0.0000000000001WBTC Provide a small amount of liquidity for our fake token with both WBTC and WETH with a big exchange rate. Make a swap payload with our fake token and WBTC. The sanity check will be on the pool for fake token and WBTC, while the actual money will be taken from WETH. abi.encodePacked(WBTC, poolFee, fake, poolFee, WETH). This results in an attacker swap for the ratio of the fake token to the other tokens. For instance, 1WETH for 0.0000000000001WBTC. Hint their fake token and claim they lost a bunch of WETH from the pool. Overall, a super interesting bug! The path variable is a commonly used pattern for swaps. So, this is something to watch out for and something I've looked for in the past.
Analysis Summary
# Vulnerability: Path-Parsing Confusion in Gearbox UniswapV3 Adapter
## CVE Details
- **CVE ID:** Not assigned (Internal Protocol Issue)
- **CVSS Score:** 9.0 - 10.0 (Estimated Critical)
- **CWE:** CWE-697: Incorrect Comparison / CWE-1286: Improper Input Validation (Parsing Confusion)
## Affected Systems
- **Products:** Gearbox Protocol
- **Versions:** Vulnerable prior to March 25, 2022 fix.
- **Configurations:** Specifically affects the `UniV3Adapter.sol` contract when handling `exactOutput` and `exactInput` swap operations via the UniswapV3 Router.
## Vulnerability Description
The vulnerability stems from a discrepancy in how the Gearbox UniswapV3 Adapter and the actual UniswapV3 Router parse the `path` byte array during a swap.
UniswapV3 paths are encoded as: `[tokenA][fee][tokenB][fee][tokenC]...`
- **UniswapV3 Parser:** Correctly identifies the first 20 bytes as Token A, the next 3 bytes as the fee, and the following 20 bytes as Token B.
- **Gearbox Parser:** Performed a simplified extraction, taking the **first 20 bytes** as `tokenIn` and the **final 20 bytes** of the array as `tokenOut`.
An attacker can provide a multi-hop path (e.g., `[WBTC][fee][FakeToken][fee][WETH]`). In this scenario:
1. **Gearbox** sees `tokenIn` as WBTC and `tokenOut` as WETH.
2. **Uniswap** executes a swap between WBTC and FakeToken.
3. Because the parsers disagree on which tokens are being exchanged, the Gearbox "Health Check" (which validates that the value of the output token matches the value of the input token) can be bypassed or manipulated using skewed liquidity pools for the "FakeToken."
## Exploitation
- **Status:** PoC available (Reported via Immunefi; confirmed by team).
- **Complexity:** Medium
- **Attack Vector:** Network (Smart Contract Interaction)
## Impact
- **Confidentiality:** None
- **Integrity:** High (Unauthorized manipulation of Credit Account balances)
- **Availability:** High (Potential for total drainage of liquidity pools/protocol funds)
## Remediation
### Patches
- The Gearbox team deployed a fix on **March 25, 2022**. The updated logic ensures the path parser correctly accounts for the 3-byte fee transitions used in UniswapV3 multi-hop paths to align with the Router's internal logic.
### Workarounds
- The protocol was temporarily **paused** by the team during the incident response to prevent exploitation before the fix was deployed.
## Detection
- **Indicators of Compromise:** Large swaps involving multi-hop paths where the first and last tokens in the path do not match the expected trade pair, or swaps involving unknown/unverified tokens with manipulated liquidity.
- **Detection Methods:** Audit of `path` parsing logic in all DeFi adapters to ensure parity with the underlying protocol (e.g., Uniswap, Curve, Sushiswap).
## References
- Gearbox Protocol Architecture: hxxps://dev[.]gearbox[.]fi/contracts/architecture
- Original Report: hxxps://medium[.]com/@nnez/different-parsers-different-results-acecf84dfb0c
- Bug Bounty Program: hxxps://immunefi[.]com/bounty/gearbox/