Closed sherlock-admin closed 11 months ago
peanuts
medium
Usage of slot0 is easy to manipulate.
slot0 is used to obtain the sqrtPriceX96 value.
function _getCurrentSqrtPriceX96( bool zeroForA, address tokenA, address tokenB, uint24 fee ) private view returns (uint160 sqrtPriceX96) { if (!zeroForA) { (tokenA, tokenB) = (tokenB, tokenA); } address poolAddress = computePoolAddress(tokenA, tokenB, fee); (sqrtPriceX96, , , , , , ) = IUniswapV3Pool(poolAddress).slot0(); }
If liquidity is low, a malicious user can manipulate the amounts in the pool by using large buys/sells order to alter the composition of liquidity. Also, a flash loan can push the liquidity to one side, affecting the calculation of sqrtPriceX96.
https://github.com/sherlock-audit/2023-10-real-wagmi/blob/main/wagmi-leverage/contracts/abstract/LiquidityManager.sol#L331-L343
Manual Review
Check derivations from TWAP values instead of using slot0 directly.
Duplicate of #109
peanuts
medium
Obtaining sqrtPriceX96 from slot0 may be dangerous if liquidity is low
Summary
Usage of slot0 is easy to manipulate.
Vulnerability Detail
slot0 is used to obtain the sqrtPriceX96 value.
Impact
If liquidity is low, a malicious user can manipulate the amounts in the pool by using large buys/sells order to alter the composition of liquidity. Also, a flash loan can push the liquidity to one side, affecting the calculation of sqrtPriceX96.
Code Snippet
https://github.com/sherlock-audit/2023-10-real-wagmi/blob/main/wagmi-leverage/contracts/abstract/LiquidityManager.sol#L331-L343
Tool used
Manual Review
Recommendation
Check derivations from TWAP values instead of using slot0 directly.
Duplicate of #109