In the UniHelper.sol library, the functions getSqrtPrice and getSqrtTWAP use the slot0 function of the IUniswapV3Pool interface to get the value of sqrtPriceX96. The sqrtPriceX96 obtained from UniswapV3.slot0 represents the most recent data point and can be easily manipulated via MEV (Miner Extractable Value) bots and flash loans. This manipulation can lead to sandwich attacks, where the price is artificially inflated or deflated before and after a transaction, causing a loss of funds when interacting with Uniswap's swap functions or any other logic that relies on the manipulated price data.
Proof of Concept
You can see the getSqrtPrice function in the UniHelper.sol:
The function uses the sqrtPrice obtained from Uniswap.slot0.
Getting prices using slot0 is highly frowned upon. An attacker can simply manipulate the sqrtPrice by using MEV bots or flash loans. If any function relying on getSqrtPrice or getSqrtTWAP is called with the manipulated sqrtPrice, the token will be bought or sold at an artificially inflated or deflated price. The attacker can then back-run the transaction to sell or buy back the tokens at the manipulated price, thereby making a profit while causing a loss to whoever called those functions.
The value if manipulated is used in convertSqrtPrice of UniHelper and this convertSqrtPrice is queried by getSqrtPrice function in Trade.sol.
getSqrtPrice is used during the execution of trades to determine the current price of a trading pair in the Uniswap pool. This price is essential for calculating how much of one token a user receives when swapping another token, ensuring that the trade is executed at a fair market rate according to the liquidity available in the pool. So as we can see, any value gotten as a result of a manipulated Slot0 goes a long way to corrupt the protocol.
Lines of code
https://github.com/code-423n4/2024-05-predy/blob/a9246db5f874a91fb71c296aac6a66902289306a/src/libraries/UniHelper.sol#L12-L14
Vulnerability details
Impact
In the
UniHelper.sol
library, the functionsgetSqrtPrice
andgetSqrtTWAP
use theslot0
function of theIUniswapV3Pool
interface to get the value ofsqrtPriceX96
. ThesqrtPriceX96
obtained fromUniswapV3.slot0
represents the most recent data point and can be easily manipulated via MEV (Miner Extractable Value) bots and flash loans. This manipulation can lead to sandwich attacks, where the price is artificially inflated or deflated before and after a transaction, causing a loss of funds when interacting with Uniswap's swap functions or any other logic that relies on the manipulated price data.Proof of Concept
You can see the
getSqrtPrice
function in theUniHelper.sol
:https://github.com/code-423n4/2024-05-predy/blob/a9246db5f874a91fb71c296aac6a66902289306a/src/libraries/UniHelper.sol#L12-L14
The function uses the
sqrtPrice
obtained fromUniswap.slot0
.Getting prices using slot0 is highly frowned upon. An attacker can simply manipulate the
sqrtPrice
by using MEV bots or flash loans. If any function relying ongetSqrtPrice
orgetSqrtTWAP
is called with the manipulatedsqrtPrice
, the token will be bought or sold at an artificially inflated or deflated price. The attacker can then back-run the transaction to sell or buy back the tokens at the manipulated price, thereby making a profit while causing a loss to whoever called those functions.The value if manipulated is used in
convertSqrtPrice
ofUniHelper
and thisconvertSqrtPrice
is queried bygetSqrtPrice
function inTrade.sol
.getSqrtPrice
is used during the execution of trades to determine the current price of a trading pair in the Uniswap pool. This price is essential for calculating how much of one token a user receives when swapping another token, ensuring that the trade is executed at a fair market rate according to the liquidity available in the pool. So as we can see, any value gotten as a result of a manipulatedSlot0
goes a long way to corrupt the protocol.Tools used
Recommended Mitigation Steps
Use The
TWAP
to get the value ofsqrtPrice
.Assessed type
Uniswap