In the original implementation, whenever Uniswap twap tick is calculated, the code does not round down
the result as suggested by uniswap code
secondsAgos[0] = 0; // from (before)
secondsAgos[1] = twapSeconds; // from (before)
(int56[] memory tickCumulatives,) = pool.observe(secondsAgos); // pool observe may fail when there is not enough history available (only use pool with enough history!)
int24 tick = int24((tickCumulatives[0] - tickCumulatives[1]) / int56(uint56(twapSeconds)));
This makes the result tick bigger then it should be.
Mitigation:
PR #10
The mitigation code will round down tick every time twap price is used:
secondsAgos[0] = 0; // from (before)
secondsAgos[1] = twapSeconds; // from (before)
(int56[] memory tickCumulatives,) = pool.observe(secondsAgos); // pool observe may fail when there is not enough history available (only use pool with enough history!)
int24 tick = int24((tickCumulatives[0] - tickCumulatives[1]) / int56(uint56(twapSeconds)));
if (
tickCumulatives[0] - tickCumulatives[1] < 0
&& (tickCumulatives[0] - tickCumulatives[1]) % int32(twapSeconds) != 0
) tick--;
Lines of code
Vulnerability details
C4 issue
H-05: _getReferencePoolPriceX96() will show incorrect price for negative tick deltas in current implementation cause it doesn't round up for them
Comment
In the original implementation, whenever Uniswap twap tick is calculated, the code does not round down the result as suggested by uniswap code
This makes the result
tick
bigger then it should be.Mitigation:
PR #10 The mitigation code will round down tick every time twap price is used:
The mitigation solved the original issue
Conclusion
LGTM