function trade(
tradeResult.sqrtPrice = getSqrtPrice(pairStatus.sqrtAssetStatus.uniswapPool, pairStatus.isQuoteZero); //The slot0 which is used in this instance can be manipulated.
Tools Used
Manual analysis
Recommended Mitigation Steps
A less manipulatable and secure price mechanism should be used to mitigate this.
Lines of code
https://github.com/code-423n4/2024-05-predy/blob/a9246db5f874a91fb71c296aac6a66902289306a/src/libraries/Trade.sol#L38-L46
Vulnerability details
Impact
Mistakes can be made while executing trade due to slot0 usage
Proof of Concept
UniHelper.getSqrtPrice retrieves the price from slot0:
solidity function getSqrtPrice(address uniswapPoolAddress) internal view returns (uint160 sqrtPrice) { (sqrtPrice, , , , , , ) = IUniswapV3Pool(uniswapPoolAddress).slot0(); }
Used price: https://github.com/code-423n4/2024-05-predy/blob/a9246db5f874a91fb71c296aac6a66902289306a/src/libraries/Trade.sol#L38-L46
function trade( tradeResult.sqrtPrice = getSqrtPrice(pairStatus.sqrtAssetStatus.uniswapPool, pairStatus.isQuoteZero); //The slot0 which is used in this instance can be manipulated.
Tools Used
Manual analysis
Recommended Mitigation Steps
A less manipulatable and secure price mechanism should be used to mitigate this.
Assessed type
Error