GeVault#poolMatchesOracle uses the UniV3Pool.slot0 to determine the number of tokens it has in it's position. slot0 is the most recent data point and is therefore extremely easy to manipulate. Given that the protocol specializes in leverage, the effects of this manipulation would compound to make malicious uses even easier.
Proof of Concept
function poolMatchesOracle() public view returns (bool matches){
(uint160 sqrtPriceX96,,,,,,) = uniswapPool.slot0(); //@audit
uint decimals0 = token0.decimals();
uint decimals1 = token1.decimals();
uint priceX8 = 10**decimals0;
// Overflow if dont scale down the sqrtPrice before div 2*192
priceX8 = priceX8 * uint(sqrtPriceX96 / 2 ** 12) ** 2 * 1e8 / 2**168;
priceX8 = priceX8 / 10**decimals1;
uint oraclePrice = 1e8 * oracle.getAssetPrice(address(token0)) / oracle.getAssetPrice(address(token1));
if (oraclePrice < priceX8 * 101 / 100 && oraclePrice > priceX8 * 99 / 100) matches = true;
}
GeVault#poolMatchesOracle uses the UniV3Pool.slot0 to determine the number of tokens it has in it's position. slot0 is the most recent data point and can easily be manipulated.
functions such as depositwithdraw and rebalance directly uses the values returned by GeVault#poolMatchesOracle. This allows a malicious user to manipulate the valuation of the LP. An example of this kind of manipulation would be to use large buys/sells to alter the composition of the LP to make it worth less or more.
Lines of code
https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/GeVault.sol#L368
Vulnerability details
Impact
GeVault#poolMatchesOracle uses the UniV3Pool.slot0 to determine the number of tokens it has in it's position. slot0 is the most recent data point and is therefore extremely easy to manipulate. Given that the protocol specializes in leverage, the effects of this manipulation would compound to make malicious uses even easier.
Proof of Concept
GeVault#poolMatchesOracle uses the UniV3Pool.slot0 to determine the number of tokens it has in it's position. slot0 is the most recent data point and can easily be manipulated.
you can check about slot0 from here
functions such as
deposit
withdraw
andrebalance
directly uses the values returned by GeVault#poolMatchesOracle. This allows a malicious user to manipulate the valuation of the LP. An example of this kind of manipulation would be to use large buys/sells to alter the composition of the LP to make it worth less or more.Tools Used
Manual review
Recommended Mitigation Steps
use twap instead of slot0
Assessed type
Uniswap