Arbitrary Manipulation of sqrtPriceX96 Compromising Integrity of Liquidity Addition Mechanism
Summary
The sqrtPriceX96 value, which is the latest price data from the Velodrome pool, can be easily manipulated by anyone. This can be achieved by swapping tokens before the sqrtPriceX96 is read by the Strategy and swapping back immediately after.
Vulnerability Detail
The function StrategyPassiveManagerVelodrome::sqrtPrice() in the contract can be easily manipulated by anyone. This manipulation is possible because the function reads the current price from the pool, which can be temporarily altered through token swaps.
Impact
This vulnerability impacts the _addLiquidity() function used to deposit liquidity and mint an LP token as an NFT. By manipulating the sqrtPriceX96, an attacker can influence the amount of liquidity added and potentially gain an unfair advantage.
BaldHeads
medium
Arbitrary Manipulation of sqrtPriceX96 Compromising Integrity of Liquidity Addition Mechanism
Summary
The sqrtPriceX96 value, which is the latest price data from the Velodrome pool, can be easily manipulated by anyone. This can be achieved by swapping tokens before the sqrtPriceX96 is read by the Strategy and swapping back immediately after.
Vulnerability Detail
The function
StrategyPassiveManagerVelodrome::sqrtPrice()in the contract can be easily manipulated by anyone. This manipulation is possible because the function reads the current price from the pool, which can be temporarily altered through token swaps.Impact
This vulnerability impacts the _addLiquidity() function used to deposit liquidity and mint an LP token as an NFT. By manipulating the sqrtPriceX96, an attacker can influence the amount of liquidity added and potentially gain an unfair advantage.
Code Snippet
https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/42ef5f0eac1bc954e888cf5bfb85cbf24c08ec76/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L617
https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/42ef5f0eac1bc954e888cf5bfb85cbf24c08ec76/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L243-254
Tool used
Manual Review
Recommendation
Use the Time-Weighted Average Price (TWAP) from the protocol itself with a custom duration to limit the possibility of price manipulation.
Duplicate of #10