Option positions can be forced to be always `in-the-money` by manipulating UniswapV3 pool via flash loans

[c4-bot-2]

Lines of code

https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/PanopticPool.sol#L547-L561

Vulnerability details

Description

Opening an option position will result into two things: in-the-money and out-of-the-money. In the traditional finance, if a trader correctly predicts the direction of the price of an asset, his option position will be in-the-money and at that point, factoring his transaction costs, he/she can close his/her position (by selling the option) or exercise the option for immediate profit.

Making your positions to be always in-the-money and make profit is not a guarantee. That is the probabilistic nature of financial markets in general.

That might not be the case for perpetual options in blockchain in general. Since liquidity pools can be manipulated, the trader's options position can always be forced to be in-the-money.

Let's take this scenario and assume that the following is in an atomic transaction:

• A trader is bullish on WETH/USDC, decides to open a long call position.
• The trader flash loans and imbalances the pool such that WETH price increases relative to USDC, basically manipulating the WETH to temporarily increase in price.
• Now that the call position is in-the-money the trader can either close the position or exercise the option for profit.
• Repeat

Options are innately leveraged. A few tweaks and there the traders can tune the right amount of flash loan and options positions to produce a profit. They can also do flash loans on both sides: for manipulating the liquidity pool and the opening of the options positions itself.

Impact

If most options trades results to wins, at some point the protocol will suffer insolvency.

Proof of Concept

Tools Used

Manual Review

Recommended Mitigation Steps

Do not allow the opening of the options positions and closing the positions (or exercising options) to be in the same transaction block. As to how many blocks distance in the future should it be, the protocol team has to decide on this.

Assessed type

Other

[c4-judge]

Picodes marked the issue as primary issue

[dyedm1]

There is no failure case enumerated here for the protocol -- that is exactly how it is intended to work. If a user manipulates the price, the funds for their profits come from their own swaps.

[c4-judge]

Picodes marked the issue as unsatisfactory: Invalid