PoolLib.getInsideFees calculates inside fees when current price is inside the position range as:
The issue is that this code doesn't handle uninitialized ticks. poolContract.ticks returns correct lowerFeeGrowthOutside amounts only for initialized ticks. For uninitialized ticks it returns 0. This means that for uninitialized ticks the feeGrowthInside amounts will be equal to feeGrowthGlobal.
As a result:
- If maker position is created on uninitialized uniswap ticks while the current price is inside the position range, any further actions of this position will revert, with user funds in this position being stuck permanently;
- Attacker can steal all diamond funds by collecting inflated fees.
For example, the first DoS scenario happens when node.liq.feeGrowthInside0X128/1X128 have been set to inflated values when the ticks were not initialized before, but newFeeGrowthInside0X128/1X128 return the post initialization values, so 0, which underflows, and the position gets stuck.
Alpha: study Uniswap well when integrating with it. In this case, the fact that unintialized ticks return 0 fee growth variables wasn't handled, leading to severe issues.
Conclusion
This finding would earn you $4432, and having a deep Uniswap knowledge would allow you to find it.