The sqrtPrice() function in StrategyPassiveManagerVelodrome.sol relies on slot0() from the pool, which is susceptible to manipulation. The derived sqrtPrice is used in the _addLiquidity function, impacting critical operations such as deposit and withdraw.
Vulnerability Detail
Beefy is using slot0 to calculate several variables in their codebase:
slot0 is the most recent data point and is therefore extremely easy to manipulate.
function sqrtPrice() public view returns (uint160 sqrtPriceX96) {
(sqrtPriceX96,,,,,) = IVeloPool(pool).slot0();
}
the sqrtPrice is derived from slot0(), which can be easily manipulated
Furthermore, _addLiquidity is called in many functions including the crucial deposit and withdraw
_addLiquidity also calls _mintPosition to mint a new position for the main or alternative position.
Impact
Since slot0() can be easily manipulated, the sqrtPrice used for liquidity calculations can be skewed. This manipulation can lead to inaccurate liquidity provision, resulting in potential financial losses or unfair advantage to malicious actors during deposit and withdraw operations.
Enhance the robustness of the price data by using a time-weighted average price (TWAP) instead of relying solely on the latest data point from slot0().
0xShoonya
medium
Usage of
slot0is extremely easy to manipulateSummary
The
sqrtPrice()function inStrategyPassiveManagerVelodrome.solrelies onslot0()from the pool, which is susceptible to manipulation. The derivedsqrtPriceis used in the_addLiquidityfunction, impacting critical operations such asdepositandwithdraw.Vulnerability Detail
Beefy is using
slot0to calculate several variables in their codebase:slot0 is the most recent data point and is therefore extremely easy to manipulate.
the
sqrtPriceis derived fromslot0(), which can be easily manipulatedthe calculated
sqrtPriceis used in _addLiquidityFurthermore,
_addLiquidityis called in many functions including the crucialdepositandwithdraw_addLiquidityalso calls _mintPosition to mint a new position for the main or alternative position.Impact
Since slot0() can be easily manipulated, the
sqrtPriceused for liquidity calculations can be skewed. This manipulation can lead to inaccurate liquidity provision, resulting in potential financial losses or unfair advantage to malicious actors during deposit and withdraw operations.Code Snippet
https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/42ef5f0eac1bc954e888cf5bfb85cbf24c08ec76/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L617-L619 https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/42ef5f0eac1bc954e888cf5bfb85cbf24c08ec76/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L305-L319 https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/42ef5f0eac1bc954e888cf5bfb85cbf24c08ec76/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L550
Tool used
Manual Review
Recommendation
Enhance the robustness of the price data by using a time-weighted average price (TWAP) instead of relying solely on the latest data point from
slot0().Duplicate of #10