c4-judge
commented
7 months ago jhsagd76 marked the issue as satisfactory
Open c4-bot-3 opened 7 months ago
c4-judge
commented
7 months ago jhsagd76 marked the issue as satisfactory
c4-judge
commented
7 months ago jhsagd76 marked the issue as confirmed for report
Lines of code
Vulnerability details
C4 Issue
M-18: Users cannot stop loss in AutoRange and AutoExit
Issue Details
The
AutoRange.solandAutoExit.solcontracts allow position owners to delegate their NFTs to revert controlled bots that will managed them based on different criteria:AutoRange.sol- rebalances liquidity positions when the token price moves out of the configured rangeAutoExit.sol- automatically removes a position when it reaches a certain tickBoth of those contracts allow optional swaps to be executed in order to provide better value management for the positions. For each swap the contracts cross-verify with the pool's TWAP oracle to prevent potential price manipulation.
Problem was that even if the user configured a position NOT to use swaps, the swap price validation was still conducted. This would mean that in case the pool price goes outside the acceptable ranges, the
execute()function will revert because of the swap price check. As a result the position transformation will be DOSed even though it is configured not to execute any swaps.Mitigation
PR-12 successfully mitigates the original issue by introducing additional checks inside
AutoExit.sol&AutoRange.solthat make sure the pool price validation is executed only if the position is configured for swapsConclusion
Mitigation Confirmed