The returned value for "observe" call in `twapFilter` doesn't round up for negative tick deltas

[c4-bot-8]

Lines of code

https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/libraries/PanopticMath.sol#L253 https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/PanopticPool.sol#L1450

Vulnerability details

Impact

The twapFilter function is used in the getUniV3TWAP function, which is used to get current tick when the liquidate and forceExercise functions. This will cause that in case of a negative tick delta, the returned tick will be much bigger is desired and opens up cases of price manipiulations and arbitrage.

Proof of Concept

The twapFilter function is used to get TWAP prices over a series of time intervals. The function uses univ3pool.observe(secondsAgos) to get tickCumulatives array which is then used to calculate int24 twapMeasurement. As the univ3pool.observe() function returns negative tickCummulative delta values sometimes, these values need to be rounded down which is what is noticed upon comparison with uniswap's oracle library.

The function however account for this.

            // observe the tickCumulative at the 20 pre-defined time slots
            (int56[] memory tickCumulatives, ) = univ3pool.observe(secondsAgos);

            // compute the average tick per 30s window
            for (uint256 i = 0; i < 19; ++i) {
                twapMeasurement[i] = int24(
                    (tickCumulatives[i] - tickCumulatives[i + 1]) / int56(uint56(twapWindow / 20))
                );
            }

Tools Used

Manual code review

Recommended Mitigation Steps

Tick should be rounded down in that case:

    if ((tickCumulatives[1] - tickCumulatives[0]) < 0 && ((tickCumulatives[1] - tickCumulatives[0]) % secondsAgo != 0)) tick--;

Assessed type

Uniswap

[c4-judge]

Picodes marked the issue as duplicate of #195

[c4-judge]

Picodes changed the severity to QA (Quality Assurance)