function currentTick() public view returns (int24 tick) {
(,tick,,,,) = IVeloPool(pool).slot0();
}
currentTick() function is returning the current tick of the pool using slot0 . The function is being called in isCalm() which must allow deposit/setTick actions when current price is within a certain deviation of twap.
function isCalm() public view returns (bool) {
int24 tick = currentTick();
....
....
}
It is also called in _setTicks() which sets the tick positions for the main and alternative positions which is also used in four more main functions like unpause(), deposit(), moveTicks() , setPositionWidth() .
The usage of slot0 is throuought the whole contract. It is used for price calculation of the pool aslo for sqrtPriceX96, variables which are used on many places in the contract and are important to be correct. In case of manipulation of slot0 it can inflate the whole protocol and lead to loss of funds for the team and the users.
Impact
LP value can be manipulated to cause loss of funds for the protocol and the users.
0xDazai
high
Usage of
slot0
can be easly manipulated and lead to price manipulationHigh
Summary
Usage of
slot0
is dangerous because It is easy to manipulate.Vulnerability Detail
StrategyPassiveManagerVelodrome.sol
is usingslot0
to calculate multiple variables in the contract.https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/42ef5f0eac1bc954e888cf5bfb85cbf24c08ec76/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L600-L602
currentTick()
function is returning the current tick of the pool usingslot0
. The function is being called inisCalm()
which must allow deposit/setTick actions when current price is within a certain deviation of twap.https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/42ef5f0eac1bc954e888cf5bfb85cbf24c08ec76/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L133-L143
It is also called in
_setTicks()
which sets the tick positions for the main and alternative positions which is also used in four more main functions likeunpause()
,deposit()
,moveTicks()
,setPositionWidth()
.https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/42ef5f0eac1bc954e888cf5bfb85cbf24c08ec76/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L630-L637
The second function which is using
slot0
issqrtPrice()
which returns thesqrtPriceX96
of the pool. https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/42ef5f0eac1bc954e888cf5bfb85cbf24c08ec76/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L617-L619sqrtPrice()
is used in_addLiquidity()
https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/42ef5f0eac1bc954e888cf5bfb85cbf24c08ec76/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L243-L261_checkAmounts()
https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/42ef5f0eac1bc954e888cf5bfb85cbf24c08ec76/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L402-L412balancesOfPool()
https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/42ef5f0eac1bc954e888cf5bfb85cbf24c08ec76/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L550price() function which calculates the price of the pool
https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/42ef5f0eac1bc954e888cf5bfb85cbf24c08ec76/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L608-L611The usage of
slot0
is throuought the whole contract. It is used forprice calculation
of the pool aslo forsqrtPriceX96
, variables which are used on many places in the contract and are important to be correct. In case of manipulation ofslot0
it can inflate the whole protocol and lead to loss of funds for the team and the users.Impact
LP value can be manipulated to cause loss of funds for the protocol and the users.
Code Snippet
https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/42ef5f0eac1bc954e888cf5bfb85cbf24c08ec76/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L617-L619
https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/42ef5f0eac1bc954e888cf5bfb85cbf24c08ec76/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L608-L611
https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/42ef5f0eac1bc954e888cf5bfb85cbf24c08ec76/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L600-L602
Tool used
Manual Review
Recommendation
To address this issue, avoid relying on
slot0
and instead useTWAP
.Duplicate of #10