search

sherlock-audit / 2024-02-leverage-contracts-judging

1 stars 0 forks source link

IceBear - Use of slot0 to get sqrtPriceLimitX96 can lead to price manipulation. #26

Closed sherlock-admin2 closed 6 months ago

sherlock-admin2 commented 6 months ago

IceBear

medium

Use of slot0 to get sqrtPriceLimitX96 can lead to price manipulation.

Summary

Use of slot0 to get sqrtPriceLimitX96 can lead to price manipulation.

Vulnerability Detail

In a previous competition, there was a fix for the sqrtPriceLimitX96 used to determine if the swap has front-run the trade. If the simulated swap causes the price limit to be higher than expected (or lower for a sell), the trade will revert. However, in this contract, there is no corresponding measures to address this issue. In LiquidityManager.sol, _getCurrentSqrtPriceX96() use UniswapV3.slot0 to get the value of sqrtPriceX96. However, the sqrtPriceX96 is pulled from Uniswap.slot0, which is the most recent data point and can be manipulated easily via MEV bots and Flashloans with sandwich attacks. similar finding: https://code4rena.com/reports/2023-05-maia#h-02-use-of-slot0-to-get-sqrtpricelimitx96-can-lead-to-price-manipulation

Impact

Code Snippet

https://github.com/sherlock-audit/2024-02-leverage-contracts/blob/main/wagmi-leverage/contracts/abstract/LiquidityManager.sol#L345

Tool used

Manual Review

Recommendation

Use TWAP rather than slot0.

Duplicate of #1

fann95 commented 6 months ago

all functions control the minimum amount of output...there is no point in controlling this for each swap