IV can be manipulated to return the maximum IV value on the next write
Summary
Volatility oracles update function can be used to manipulate the next IV and potentially write it to the maximum possible amount as constricted by the IV_CHANGE_PER_UPDATE. This can lead to liquidation of a borrower and it is easy for a liquidator to manipulate the IV.
Shifting our focus back to the update function within the Volatility oracle, there's a potential for its misuse to report a manipulated value equal to the previous IV + IV_CHANGE_PER_UPDATE, representing the maximum IV movement in either direction.
It's noteworthy that the current tick and liquidity are parameters that can be easily manipulated in any Uniswapv3 pool, as they are directly sourced from the Uniswap v3 slot0. If a liquidator were to adjust the current tick by swapping a substantial amount of either token0 or token1, they could significantly influence the tickTVL (recall that tickTVL represents TVL in terms of token1). The resulting volatility (IV) would also shift, as observed here:
https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/libraries/Volatility.sol#L79
In essence, a higher tickTVL results in a lower return value, and conversely, a lower tickTVL results in a higher return value.
Even though the manipulated IV would be confined by IV_CHANGE_PER_UPDATE, a malicious actor can still alter the IV to its maximum range, defined by IV_CHANGE_PER_UPDATE, and leverage this to liquidate a borrower.
Use the twap price and the average liquidity, also check the manipulation of twap as its done in the BalanceSheet library via comparing it with metrics.
mstpr-brainbot
medium
IV can be manipulated to return the maximum IV value on the next write
Summary
Volatility oracles update function can be used to manipulate the next IV and potentially write it to the maximum possible amount as constricted by the IV_CHANGE_PER_UPDATE. This can lead to liquidation of a borrower and it is easy for a liquidator to manipulate the IV.
Vulnerability Detail
The update function in the Volatility oracle is a public function that writes the latest IV after conducting certain validations, as detailed here: https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/VolatilityOracle.sol#L45-L94
We can observe from this link that the change in IV is capped by IV_CHANGE_PER_UPDATE for both downward and upward movements of IV: https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/VolatilityOracle.sol#L82-L84
From the following link, we can see the impact of IV on price calculations. It indicates that a higher IV results in a broader spread between price.a and price.b from the price.c TWAP price: https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/libraries/BalanceSheet.sol#L103-L112
Shifting our focus back to the update function within the Volatility oracle, there's a potential for its misuse to report a manipulated value equal to the previous IV + IV_CHANGE_PER_UPDATE, representing the maximum IV movement in either direction.
Considering the estimate function, we must examine the tickTVL and its potential manipulation. The relevant code can be found here: https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/libraries/Volatility.sol#L44-L81
It's noteworthy that the current tick and liquidity are parameters that can be easily manipulated in any Uniswapv3 pool, as they are directly sourced from the Uniswap v3 slot0. If a liquidator were to adjust the current tick by swapping a substantial amount of either token0 or token1, they could significantly influence the tickTVL (recall that tickTVL represents TVL in terms of token1). The resulting volatility (IV) would also shift, as observed here: https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/libraries/Volatility.sol#L79
In essence, a higher tickTVL results in a lower return value, and conversely, a lower tickTVL results in a higher return value.
Even though the manipulated IV would be confined by IV_CHANGE_PER_UPDATE, a malicious actor can still alter the IV to its maximum range, defined by IV_CHANGE_PER_UPDATE, and leverage this to liquidate a borrower.
Impact
Code Snippet
https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/VolatilityOracle.sol#L45-L94 https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/VolatilityOracle.sol#L82-L84 https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/libraries/BalanceSheet.sol#L103-L112 https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/libraries/Volatility.sol#L44-L81 https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/libraries/Volatility.sol#L79
Tool used
Manual Review
Recommendation
Use the twap price and the average liquidity, also check the manipulation of twap as its done in the BalanceSheet library via comparing it with metrics.
Duplicate of #63