Closed c4-bot-10 closed 4 months ago
Picodes marked the issue as duplicate of #195
Picodes changed the severity to QA (Quality Assurance)
In the absence of real impact aside from a tiny price deviation compared to the other rounding direction, I'll downgrade to QA.
Lines of code
https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/libraries/PanopticMath.sol#L241-L268
Vulnerability details
Impact
In case if
int24(tickCumulatives[i] - tickCumulatives[i+1])
is negative and((tickCumulatives[i] - tickCumulatives[i+1]) % secondsAgo != 0
, then returned tick will be bigger than it should be which opens possibility for some price manipulations and arbitrage opportunities.Here is a similar issue which was reported in SaltyIO audit.
Proof of Concept
https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/libraries/PanopticMath.sol#L241-L268
twapFilter
function is used to get twap price tick using uniswap oracle. it usesuniv3pool.observe()
to get tickCumulatives array which is then used to calculate int24 tick.The problem is that in case if int24(tickCumulatives[i] - tickCumulatives[i+1]) is negative, then the tick should be rounded down as it's done in the uniswap library.
As a result, in case if int24(tickCumulatives[i] - tickCumulatives[i+1]) is negative and (tickCumulatives[i] - tickCumulatives[i+1]) % secondsAgo != 0, then returned tick will be bigger then it should be, which opens possibility for some price manipulations and arbitrage opportunities.
Tools Used
Manual review & Past audit
Recommended Mitigation Steps
Add this line:
Assessed type
Math