The sqrtPrice() function in StrategyPassiveManagerVelodrome.sol relies on slot0() from the pool, which is susceptible to manipulation. The derived sqrtPrice is used in the _addLiquidity function, impacting critical operations such as deposit and withdraw.
Vulnerability Detail
Beefy is using slot0 to calculate several variables in their codebase:
slot0 is the most recent data point and is therefore extremely easy to manipulate.
function sqrtPrice() public view returns (uint160 sqrtPriceX96) {
(sqrtPriceX96,,,,,) = IVeloPool(pool).slot0();
}
the sqrtPrice is derived from slot0(), which can be easily manipulated
Furthermore, _addLiquidity is called in many functions including the crucial deposit and withdraw
_addLiquidity also calls _mintPosition to mint a new position for the main or alternative position.
Impact
Since slot0() can be easily manipulated, the sqrtPrice used for liquidity calculations can be skewed. This manipulation can lead to inaccurate liquidity provision, resulting in potential financial losses or unfair advantage to malicious actors during deposit and withdraw operations.
Enhance the robustness of the price data by using a time-weighted average price (TWAP) instead of relying solely on the latest data point from slot0().
0xShoonya
medium
Usage of
slot0
is extremely easy to manipulateSummary
The
sqrtPrice()
function inStrategyPassiveManagerVelodrome.sol
relies onslot0()
from the pool, which is susceptible to manipulation. The derivedsqrtPrice
is used in the_addLiquidity
function, impacting critical operations such asdeposit
andwithdraw
.Vulnerability Detail
Beefy is using
slot0
to calculate several variables in their codebase:slot0 is the most recent data point and is therefore extremely easy to manipulate.
the
sqrtPrice
is derived fromslot0()
, which can be easily manipulatedthe calculated
sqrtPrice
is used in _addLiquidityFurthermore,
_addLiquidity
is called in many functions including the crucialdeposit
andwithdraw
_addLiquidity
also calls _mintPosition to mint a new position for the main or alternative position.Impact
Since slot0() can be easily manipulated, the
sqrtPrice
used for liquidity calculations can be skewed. This manipulation can lead to inaccurate liquidity provision, resulting in potential financial losses or unfair advantage to malicious actors during deposit and withdraw operations.Code Snippet
https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/42ef5f0eac1bc954e888cf5bfb85cbf24c08ec76/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L617-L619 https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/42ef5f0eac1bc954e888cf5bfb85cbf24c08ec76/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L305-L319 https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/42ef5f0eac1bc954e888cf5bfb85cbf24c08ec76/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L550
Tool used
Manual Review
Recommendation
Enhance the robustness of the price data by using a time-weighted average price (TWAP) instead of relying solely on the latest data point from
slot0()
.Duplicate of #10