In the buy function of the smart contract, the absence of explicit slippage control mechanisms exposes participants to potential financial risks associated with unfavorable price movements. When users contribute to the liquidity pool, the transaction does not verify that the received sale tokens correspond to a fair market rate, allowing the possibility of price manipulation or significant market shifts to affect the outcome unfavorably. This lack of control may lead to a loss of trust in the platform, reduced participation, and financial losses for users who might receive fewer tokens than expected under rapidly changing market conditions.
// get amount of liquidity associated with raise amount
if (RAISE_TOKEN == _cachedPoolKey.token0) {
liquidityDelta = LiquidityAmounts.getLiquidityForAmount0(SQRT_RATIO_X96, SQRT_RATIO_UPPER_X96, raiseAmount);
} else {
liquidityDelta = LiquidityAmounts.getLiquidityForAmount1(SQRT_RATIO_LOWER_X96, SQRT_RATIO_X96, raiseAmount);
}
require(liquidityDelta > 0, "ZA");
// calculate amount of share liquidity investor recieve by INVESTOR_SHARES config
liquidityDelta = uint128(FullMath.mulDiv(liquidityDelta, _vestingConfigs[0].shares, BPS));
// increase investor's liquidity
_position.liquidity += liquidityDelta;
// update total liquidity locked for vest and assiging vesing schedules
_positionVests[tokenId].totalLiquidity = _position.liquidity;
This code snippet does not include any checks for the amount of sale tokens received per raise token contributed, which means the transaction does not ensure that the users' contributions are exchanged at a rate close to the current market price. There is a reliance on the liquidity calculation based purely on input amounts without validating the output against market conditions.
Recommended Mitigation Steps
Allow users to specify their acceptable slippage percentage when initiating a transaction. The smart contract should then ensure this slippage percentage is not exceeded before finalizing the transaction.
Lines of code
https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/ILOPool.sol#L155
Vulnerability details
Impact
In the
buyfunction of the smart contract, the absence of explicit slippage control mechanisms exposes participants to potential financial risks associated with unfavorable price movements. When users contribute to the liquidity pool, the transaction does not verify that the received sale tokens correspond to a fair market rate, allowing the possibility of price manipulation or significant market shifts to affect the outcome unfavorably. This lack of control may lead to a loss of trust in the platform, reduced participation, and financial losses for users who might receive fewer tokens than expected under rapidly changing market conditions.Proof of Concept
https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/ILOPool.sol#L155
This code snippet does not include any checks for the amount of sale tokens received per raise token contributed, which means the transaction does not ensure that the users' contributions are exchanged at a rate close to the current market price. There is a reliance on the liquidity calculation based purely on input amounts without validating the output against market conditions.
Recommended Mitigation Steps
Allow users to specify their acceptable slippage percentage when initiating a transaction. The smart contract should then ensure this slippage percentage is not exceeded before finalizing the transaction.
Assessed type
Invalid Validation