search

sherlock-audit / 2024-05-beefy-cowcentrated-liquidity-manager-judging

5 stars 5 forks source link

blackhole - The maximum tick deviation should be less than or equal to 4 times the tick spacing in the setDeviation function #28

Closed sherlock-admin4 closed 3 months ago

sherlock-admin4 commented 3 months ago

blackhole

medium

The maximum tick deviation should be less than or equal to 4 times the tick spacing in the setDeviation function

Summary

According to the code comments, The setDeviation function should ensure that maxTickDeviation is less than or equal to 4 times the tick spacing. This requirement is currently not properly enforced, potentially allowing maxTickDeviation to be set incorrectly.

If the protocol team provides specific information in the README or CODE COMMENTS, that information stands above all judging rules. In case of contradictions between the README and CODE COMMENTS, the README is the chosen source of truth.

Vulnerability Detail

contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L709

    function setDeviation(int56 _maxDeviation) external onlyOwner {
        emit SetDeviation(_maxDeviation);

        // Require the deviation to be less than or equal to 4 times the tick spacing.
        if (_maxDeviation >= _tickDistance() * 4) revert InvalidInput(); // @audit >

        maxTickDeviation = _maxDeviation;
    }

Impact

The maxTickDeviation cannot be set to exactly 4 times the tick spacing due to the current condition

Code Snippet

https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/main/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L709

Tool used

Manual Review

Recommendation

It's recommended to change the condition to properly allow maxTickDeviation to be set to 4 times the tick spacing or less.

    function setDeviation(int56 _maxDeviation) external onlyOwner {
        emit SetDeviation(_maxDeviation);

        // Require the deviation to be less than or equal to 4 times the tick spacing.
-        if (_maxDeviation >= _tickDistance() * 4) revert InvalidInput();
+        if (_maxDeviation > _tickDistance() * 4) revert InvalidInput();

        maxTickDeviation = _maxDeviation;
    }

Duplicate of #33

sherlock-admin2 commented 3 months ago

1 comment(s) were left on this issue during the judging contest.

DHTNS commented:

Low -> seems like a code comment error + even if it isnt that's not medium issue as no core functionality broke & no funds lost due to smart contract + fund loss will only occur due to admin error + but up for debate sponsor should comment in