Multiple instances of usage of `slot0` to calculate square root price, which is easily manipulatable

[howlbot-integration[bot]]

Lines of code

ttps://github.com/code-423n4/2024-05-predy/blob/main/src/libraries/Perp.sol#L206 https://github.com/code-423n4/2024-05-predy/blob/main/src/libraries/UniHelper.sol#L13-L15 https://github.com/code-423n4/2024-05-predy/blob/main/src/libraries/Trade.sol#L49

Vulnerability details

Impact

There are multiple instances where Uniswap's slot0 is used to calculate the square root price.

This is dangerous as slot0 returns the pool’s spot price, which can be manipulated by buying and selling assets within the pool using flash loans, since this price is given by the current ratio of reserves in the pool.

An attacker can make the spot price favorable for them to acheive their desired outcome.

Proof of Concept

As mentioned, slot0 is used to fetch the spot price in multiple instances throughout the protocol:

Perp.sol#L206

(uint160 currentSqrtPrice, int24 currentTick,,,,,) = IUniswapV3Pool(_sqrtAssetStatus.uniswapPool).slot0();

UniHelper.sol#L13-L15)

    function getSqrtPrice(address uniswapPoolAddress) internal view returns (uint160 sqrtPrice) {
        (sqrtPrice,,,,,,) = IUniswapV3Pool(uniswapPoolAddress).slot0();
    }

An example of where this is used is when trades are executed:

Trade.sol#L49

tradeResult.sqrtPrice = getSqrtPrice(pairStatus.sqrtAssetStatus.uniswapPool, pairStatus.isQuoteZero);

An attacker can manipulate the spot price via flash loans to make trades favorable for them.

Tools Used

Manual Review

Recommended Mitigation Steps

Use the TWAP instead of slot0 when obtaining the price

Assessed type

Uniswap

[c4-judge]

alex-ppg marked the issue as satisfactory