There are multiple instances where Uniswap's slot0 is used to calculate the square root price.
This is dangerous as slot0 returns the pool’s spot price, which can be manipulated by buying and selling assets within the pool using flash loans, since this price is given by the current ratio of reserves in the pool.
An attacker can make the spot price favorable for them to acheive their desired outcome.
Proof of Concept
As mentioned, slot0 is used to fetch the spot price in multiple instances throughout the protocol:
Lines of code
ttps://github.com/code-423n4/2024-05-predy/blob/main/src/libraries/Perp.sol#L206 https://github.com/code-423n4/2024-05-predy/blob/main/src/libraries/UniHelper.sol#L13-L15 https://github.com/code-423n4/2024-05-predy/blob/main/src/libraries/Trade.sol#L49
Vulnerability details
Impact
There are multiple instances where
Uniswap's slot0
is used to calculate thesquare root price
.This is dangerous as
slot0
returns the pool’s spot price, which can be manipulated by buying and selling assets within the pool using flash loans, since this price is given by the current ratio of reserves in the pool.An attacker can make the spot price favorable for them to acheive their desired outcome.
Proof of Concept
As mentioned,
slot0
is used to fetch the spot price in multiple instances throughout the protocol:Perp.sol#L206
UniHelper.sol#L13-L15)
An example of where this is used is when trades are executed:
Trade.sol#L49
An attacker can manipulate the spot price via flash loans to make trades favorable for them.
Tools Used
Manual Review
Recommended Mitigation Steps
Use the TWAP instead of slot0 when obtaining the price
Assessed type
Uniswap