IUniswapV3Pool(poolAddress).slot0() is used to calculate sqrtPriceLimitX96 in LiquidityManager#_getCurrentSqrtPriceX96 which is the most recent data point and can be manipulated easily via MEV bots and Flashloans with sandwich attacks; which can cause the loss of funds when using sqrtPriceLimitX96 for swaps.
This can cause issues for regular users and can be used by malicious users to give less collateral/debt during borrow or repay.
Alice manipulates the sqrtPriceLimitX96 and interacts with the protocol by calling Borrow, repay or takeOverDebt.
She can either pay less collateral and grab a position during Borrow
Or when calling repay or takeOverDebt she can provide less debt and grab the position or the liquidation bonus.
Kral01
high
[H-03] Use of
slot0
to getsqrtPriceLimitX96
can lead to price manipulation.Summary
Usage of slot0 is extremely easy to manipulate.
Vulnerability Detail
In LiquidityManager#_getCurrentSqrtPriceX96
IUniswapV3Pool(poolAddress).slot0()
is used to calculatesqrtPriceLimitX96
.Impact
IUniswapV3Pool(poolAddress).slot0()
is used to calculatesqrtPriceLimitX96
inLiquidityManager#_getCurrentSqrtPriceX96
which is the most recent data point and can be manipulated easily via MEV bots and Flashloans with sandwich attacks; which can cause the loss of funds when usingsqrtPriceLimitX96
for swaps.This can cause issues for regular users and can be used by malicious users to give less collateral/debt during borrow or repay.
sqrtPriceLimitX96
and interacts with the protocol by callingBorrow
,repay
ortakeOverDebt
.repay
ortakeOverDebt
she can provide less debt and grab the position or the liquidation bonus.Code Snippet
https://github.com/sherlock-audit/2023-10-real-wagmi/blob/b33752757fd6a9f404b8577c1eae6c5774b3a0db/wagmi-leverage/contracts/abstract/LiquidityManager.sol#L331C3-L343C1
There was an issue similar to this in the previous Real-Wagmi contest.
Tool used
Manual Review
Recommendation
Use the
TWAP
function to get the value of sqrtPriceX96 or for any calculation.Duplicate of #109