search

code-423n4 / 2024-04-panoptic-findings

7 stars 3 forks source link

`twapFilter()` may show incorrect price for negative ticks cause it doesn't round up for negative ticks #506

Closed c4-bot-1 closed 4 months ago

c4-bot-1 commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/libraries/PanopticMath.sol#L241-#L268

Vulnerability details

Vulnerability details

In twapFilter() function, it calculate average tick per 30s window:

        // compute the average tick per 30s window
        for (uint256 i = 0; i < 19; ++i) {
            twapMeasurement[i] = int24(
                (tickCumulatives[i] - tickCumulatives[i + 1]) / int56(uint56(twapWindow / 20))
            );
        }

The problem is that it does not round to negative in specific case like in uniswap library, then returned tick will be bigger then it should be, which opens possibility for some price manipulations and arbitrage opportunities.

Impact

tick result can be bigger than it should be

Tools Used

Manual review

Recommended Mitigation Steps

Tick should be rounded down in that case:

            twapMeasurement[i] = int24((tickCumulatives[i] - tickCumulatives[i + 1]) / int56(uint56(twapWindow / 20)));
        +   if ((tickCumulatives[i+1] - tickCumulatives[i]) < 0 && ((tickCumulatives[i+1] - tickCumulatives[i]) % (twapWindow / 20) != 0)) twapMeasurement[i]--;

Assessed type

Context

c4-judge commented 4 months ago

Picodes marked the issue as duplicate of #195

c4-judge commented 4 months ago

Picodes changed the severity to QA (Quality Assurance)