c4-judge
commented
2 months ago Picodes marked the issue as duplicate of #562
Closed c4-bot-7 closed 2 months ago
c4-judge
commented
2 months ago Picodes marked the issue as duplicate of #562
c4-judge
commented
2 months ago Picodes marked the issue as unsatisfactory: Invalid
sammy-tm
commented
2 months ago @Picodes Can you please take a look, this is a dup of #537
c4-judge
commented
2 months ago Picodes marked the issue as not a duplicate
c4-judge
commented
2 months ago Picodes marked the issue as duplicate of #537
c4-judge
commented
2 months ago Picodes marked the issue as satisfactory
c4-judge
commented
2 months ago Picodes changed the severity to 2 (Med Risk)
Lines of code
https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/PanopticFactory.sol#L341
Vulnerability details
The creation of a pool requires the creator to mint full-range liquidity into the corresponding Uniswap V3 pool. However, this fullRangeLiquidity is calculated using the slot0 SqrtPriceX96 from the Uniswap pool, which is susceptible to manipulation.
Impact
MEV bots can utilize flash loans to front-run the creation of a pool, thereby increasing the costs for the user. The user may end up paying more token0 and token1 than necessary for creating the pool. Subsequently, these bots may execute trades that profit from the inflated prices after the pool's creation.
Proof of Concept
Tools Used
Manual Review
Recommended Mitigation Steps
Implement the use of TWAP (Time-Weighted Average Price) instead.
Assessed type
MEV