IV can be manipulated to return the maximum IV value on the next write

Summary

Volatility oracles update function can be used to manipulate the next IV and potentially write it to the maximum possible amount as constricted by the IV_CHANGE_PER_UPDATE. This can lead to liquidation of a borrower and it is easy for a liquidator to manipulate the IV.

Vulnerability Detail

The update function in the Volatility oracle is a public function that writes the latest IV after conducting certain validations, as detailed here: https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/VolatilityOracle.sol#L45-L94

We can observe from this link that the change in IV is capped by IV_CHANGE_PER_UPDATE for both downward and upward movements of IV: https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/VolatilityOracle.sol#L82-L84

From the following link, we can see the impact of IV on price calculations. It indicates that a higher IV results in a broader spread between price.a and price.b from the price.c TWAP price: https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/libraries/BalanceSheet.sol#L103-L112

Shifting our focus back to the update function within the Volatility oracle, there's a potential for its misuse to report a manipulated value equal to the previous IV + IV_CHANGE_PER_UPDATE, representing the maximum IV movement in either direction.

Considering the estimate function, we must examine the tickTVL and its potential manipulation. The relevant code can be found here: https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/libraries/Volatility.sol#L44-L81

It's noteworthy that the current tick and liquidity are parameters that can be easily manipulated in any Uniswapv3 pool, as they are directly sourced from the Uniswap v3 slot0. If a liquidator were to adjust the current tick by swapping a substantial amount of either token0 or token1, they could significantly influence the tickTVL (recall that tickTVL represents TVL in terms of token1). The resulting volatility (IV) would also shift, as observed here: https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/libraries/Volatility.sol#L79

In essence, a higher tickTVL results in a lower return value, and conversely, a lower tickTVL results in a higher return value.

Even though the manipulated IV would be confined by IV_CHANGE_PER_UPDATE, a malicious actor can still alter the IV to its maximum range, defined by IV_CHANGE_PER_UPDATE, and leverage this to liquidate a borrower.

Impact

Code Snippet

https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/VolatilityOracle.sol#L45-L94 https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/VolatilityOracle.sol#L82-L84 https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/libraries/BalanceSheet.sol#L103-L112 https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/libraries/Volatility.sol#L44-L81 https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/libraries/Volatility.sol#L79

Tool used

Manual Review

Recommendation

Use the twap price and the average liquidity, also check the manipulation of twap as its done in the BalanceSheet library via comparing it with metrics.

Duplicate of #63

sherlock-audit / 2023-10-aloe-judging

mstpr-brainbot - IV can be manipulated to return the maximum IV value on the next write #125