tsvetanovv - `_getCurrentSqrtPriceX96()` is easy to manipulation

[sherlock-admin]

tsvetanovv

high

_getCurrentSqrtPriceX96() is easy to manipulation

Summary

Usage of slot0 in _getCurrentSqrtPriceX96() is easy to manipulation.

Vulnerability Detail

In LiquidityManager.sol we have _getCurrentSqrtPriceX96() function:

function _getCurrentSqrtPriceX96(
        bool zeroForA,
        address tokenA,
        address tokenB,
        uint24 fee
    ) private view returns (uint160 sqrtPriceX96) {
        if (!zeroForA) {
            (tokenA, tokenB) = (tokenB, tokenA);
        }
        address poolAddress = computePoolAddress(tokenA, tokenB, fee);
        (sqrtPriceX96, , , , , , ) = IUniswapV3Pool(poolAddress).slot0(); 
    }

This function retrieves the current square root price from a Uniswap V3 pool.

_getCurrentSqrtPriceX96() using slot0 to retrieve data from Uniswap V3 pool. The slot0 function returns various parameters of the pool, including the sqrtPriceX96 value. slot0 is the most recent data point and is therefore extremely easy to manipulate. https://docs.uniswap.org/contracts/v3/reference/core/interfaces/pool/IUniswapV3PoolState#slot0

A malicious user can use this. An example of this kind of manipulation would be using flash swaps to borrow assets from the pool, manipulate the square root price through a series of trades, and then return the borrowed assets.

Impact

sqrtPriceX96() can be manipulated to cause a loss of funds for the protocol and users.

Code Snippet

https://github.com/sherlock-audit/2023-10-real-wagmi/blob/main/wagmi-leverage/contracts/abstract/LiquidityManager.sol#L341

Tool used

Manual Review

Recommendation

Don't use slot0. Is better to use TWAP Oracle instead.

Duplicate of #109