Beefy is using slot0 to calculate sqrtprice and several variables in their codebase
Vulnerability Detail
in sqrtPrice() sqrtpriceX96 is getting from IVeloPool(pool).slot0().
slot0 is the most recent data point and is therefore extremely easy to manipulate.
sqrtPrice is called in _addLiquidity() , balancesOfPool() and other functions too.
So attacker can manipulate the number of tokens ( balance) which could cause problem
This allows a malicious user to manipulate the valuation of the LP. And it could also lead to slippage.
Impact
balances of tokens is calculated from this and it can be manipulated.
sa9933
high
Usage of slot0 is extremely easy to manipulate
Summary
Beefy is using slot0 to calculate sqrtprice and several variables in their codebase
Vulnerability Detail
in sqrtPrice() sqrtpriceX96 is getting from IVeloPool(pool).slot0(). slot0 is the most recent data point and is therefore extremely easy to manipulate.
sqrtPrice is called in _addLiquidity() , balancesOfPool() and other functions too. So attacker can manipulate the number of tokens ( balance) which could cause problem This allows a malicious user to manipulate the valuation of the LP. And it could also lead to slippage.
Impact
balances of tokens is calculated from this and it can be manipulated.
Code Snippet
https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager-Harsh4509/blob/main/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L254C5-L268C11 https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager-Harsh4509/blob/main/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L402C5-L412C6 https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager-Harsh4509/blob/main/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L549C5-L583C6
Tool used
Manual Review
Recommendation
Use TWAP to calculate price instead of slot0
Duplicate of #10