Potential front-running vulnerability in UniV3OracleFactory
Summary
In the UniV3OracleFactory contract, the _createUniV3Oracle function emits an event CreateUniV3Oracle after creating a new UniV3OracleImpl instance. This event could be used by malicious actors to front-run oracle creation transactions, potentially leading to price manipulation or other unintended consequences.
Vulnerability Detail
The _createUniV3Oracle function in the UniV3OracleFactory contract creates a new UniV3OracleImpl instance and emits an event with the oracle instance and its initialization parameters. A malicious actor could monitor this event and front-run the transaction to create an oracle with manipulated parameters, potentially affecting the price or other aspects of the system.
Impact
This vulnerability could lead to price manipulation, front-running, or other unintended consequences in the system.
Consider moving the event emission to occur before the oracle initialization, or use a different mechanism to inform users about oracle creation, such as a registry contract. This would help prevent potential front-running and price manipulation.
moneyversed
medium
Potential front-running vulnerability in UniV3OracleFactory
Summary
In the UniV3OracleFactory contract, the _createUniV3Oracle function emits an event CreateUniV3Oracle after creating a new UniV3OracleImpl instance. This event could be used by malicious actors to front-run oracle creation transactions, potentially leading to price manipulation or other unintended consequences.
Vulnerability Detail
The _createUniV3Oracle function in the UniV3OracleFactory contract creates a new UniV3OracleImpl instance and emits an event with the oracle instance and its initialization parameters. A malicious actor could monitor this event and front-run the transaction to create an oracle with manipulated parameters, potentially affecting the price or other aspects of the system.
Impact
This vulnerability could lead to price manipulation, front-running, or other unintended consequences in the system.
Code Snippet
https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-oracle/src/UniV3OracleFactory.sol#L45
Tool used
Manual Review
Recommendation
Consider moving the event emission to occur before the oracle initialization, or use a different mechanism to inform users about oracle creation, such as a registry contract. This would help prevent potential front-running and price manipulation.