The Sync exploit in UniswapV2

The following function in UniswapV2 is responsible to calculate the ratio for the addLiquidity function:

As you can see, it goes through several conditions:

Condition 1: First liquidity addition, here it simply allows to whatever ratio is provided

Condition 2: Calculate amountB based on provided amountA and the current reserve ratio

Condition 3: Calculate amountA based on provided amountB and the current reserve ratio

Now let’s take a look at the quote function, which is invoked in condition 2&3:

Now the exploit:

The pair is newly created and no liquidity has been added, naturally the liquidity addition would follow condition 1. However, a malicious user manually transfers 1 wei of the counter token to the pair and invokes sync, which results in reserveB = 1. This means, condition 1 is not fulfilled anymore and it will enter condition 2. As one can see the quote function is invoked in condition 2. The problem: the require statement is not fulfilled because reserveA = 0 and reserveB = 1.

Therefore, liquidity addition will be blocked until someone manually transfers tokenA to the pair and invokes sync.