Kral01 - [H-03] Use of `slot0` to get `sqrtPriceLimitX96` can lead to price manipulation.

[sherlock-admin]

Kral01

high

[H-03] Use of slot0 to get sqrtPriceLimitX96 can lead to price manipulation.

Summary

Usage of slot0 is extremely easy to manipulate.

Vulnerability Detail

In LiquidityManager#_getCurrentSqrtPriceX96 IUniswapV3Pool(poolAddress).slot0() is used to calculate sqrtPriceLimitX96.

Impact

IUniswapV3Pool(poolAddress).slot0() is used to calculate sqrtPriceLimitX96 in LiquidityManager#_getCurrentSqrtPriceX96 which is the most recent data point and can be manipulated easily via MEV bots and Flashloans with sandwich attacks; which can cause the loss of funds when using sqrtPriceLimitX96 for swaps.

This can cause issues for regular users and can be used by malicious users to give less collateral/debt during borrow or repay.

1. Alice manipulates the sqrtPriceLimitX96 and interacts with the protocol by calling Borrow, repay or takeOverDebt.
2. She can either pay less collateral and grab a position during Borrow
3. Or when calling repay or takeOverDebt she can provide less debt and grab the position or the liquidation bonus.

Code Snippet

https://github.com/sherlock-audit/2023-10-real-wagmi/blob/b33752757fd6a9f404b8577c1eae6c5774b3a0db/wagmi-leverage/contracts/abstract/LiquidityManager.sol#L331C3-L343C1

 function _getCurrentSqrtPriceX96(
        bool zeroForA,
        address tokenA,
        address tokenB,
        uint24 fee
    ) private view returns (uint160 sqrtPriceX96) {
        if (!zeroForA) {
            (tokenA, tokenB) = (tokenB, tokenA);
        }
        address poolAddress = computePoolAddress(tokenA, tokenB, fee);
        (sqrtPriceX96, , , , , , ) = IUniswapV3Pool(poolAddress).slot0();
    }

There was an issue similar to this in the previous Real-Wagmi contest.

Tool used

Manual Review

Recommendation

Use the TWAP function to get the value of sqrtPriceX96 or for any calculation.

Duplicate of #109