UniswapV3AdapterOracle calculates LP price in USD by using an arithmetic mean tick from Uniswap V3 library, which can miscalculate the fair LP price. The miscalculation can occur in calculating collateral credit (being higher than the actual value), causing liquidation to happen slower than expected, or even worse when the position is already underwater.
Vulnerability Detail
Arithmetic mean tick from Uniswap V3 library, although is a good way to prevent flashloan attacks, does not reflect the current tick. If price decreases monotonically and by a large margin, the arithmetic mean will not be able to catch up with the current price. The "leveraged" farming position can still be considered healthy as the collateral credit is still high from the lagged price (higher than spot) while actually the position may already be underwater.
Impact
Depending on the collateral factor, borrow factor and maximum leverage, the loss to Blueberry can be uncapped as an attacker can open a very large position can make it goes underwater.
paweenpit
false
Fair Uniswap V3 LP price
medium
Summary
UniswapV3AdapterOracle calculates LP price in USD by using an arithmetic mean tick from Uniswap V3 library, which can miscalculate the fair LP price. The miscalculation can occur in calculating collateral credit (being higher than the actual value), causing liquidation to happen slower than expected, or even worse when the position is already underwater.
Vulnerability Detail
Arithmetic mean tick from Uniswap V3 library, although is a good way to prevent flashloan attacks, does not reflect the current tick. If price decreases monotonically and by a large margin, the arithmetic mean will not be able to catch up with the current price. The "leveraged" farming position can still be considered healthy as the collateral credit is still high from the lagged price (higher than spot) while actually the position may already be underwater.
Impact
Depending on the collateral factor, borrow factor and maximum leverage, the loss to Blueberry can be uncapped as an attacker can open a very large position can make it goes underwater.
Code Snippet
https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/oracle/UniswapV3AdapterOracle.sol
Tool used
Manual Review
Recommendation
Use fair Uniswap V3 position price by first calculating the fair spot price between 2 tokens from oracles. Fair LP price can be calculated from fair token amounts in Uniswap V3 position (which can be calculated using fair spot price, tick lower and tick upper in Uniswap V3 library
getAmountsForLiquidityhttps://github.com/Uniswap/v3-periphery/blob/6cce88e63e176af1ddb6cc56e029110289622317/contracts/libraries/LiquidityAmounts.sol#L120).