The insufficient validation in the setTargetSqrtPriceX96 function will cause a medium impact on the protocol's price targeting mechanism as an attacker with the SETTER_ROLE can set invalid or extreme targetSqrtPriceX96 values, leading to inefficient swaps and destabilizing the BOOST peg.
Root Cause
In SolidlyV3AMO.sol, the setTargetSqrtPriceX96 function performs basic validation by ensuring that the provided targetSqrtPriceX96_ is within predefined minimum and maximum ratios. However, it lacks comprehensive validation to ensure that the new target price aligns with the protocol's liquidity and rebalancing strategies, potentially allowing extreme or logically inconsistent values.
Relevant Code Snippet:
function setTargetSqrtPriceX96(uint160 targetSqrtPriceX96_) public override onlyRole(SETTER_ROLE) {
if (targetSqrtPriceX96_ <= MIN_SQRT_RATIO || targetSqrtPriceX96_ >= MAX_SQRT_RATIO) revert InvalidRatioValue();
targetSqrtPriceX96 = targetSqrtPriceX96_;
emit TargetSqrtPriceX96Set(targetSqrtPriceX96);
}
Internal pre-conditions
1-An account with the SETTER_ROLE needs to call setTargetSqrtPriceX96 to set a new target sqrt price.
2-The provided targetSqrtPriceX96_ is within the acceptable range defined by MIN_SQRT_RATIO and MAX_SQRT_RATIO.
External pre-conditions
1-The pool contract must function correctly with the specified targetSqrtPriceX96.
2-External market conditions do not render the targetSqrtPriceX96 setting ineffective or harmful.
Attack Path
1-The attacker, possessing the SETTERROLE, calls the setTargetSqrtPriceX96 function.
2-The attacker provides an extreme or logically inconsistent value for targetSqrtPriceX96 within the allowed range.
3-The contract accepts this value due to the lack of comprehensive validation.
4-The invalid targetSqrtPriceX96 disrupts the swap operations, leading to inefficient or harmful swaps.
5-This misconfiguration can result in loss of funds, reduced liquidity efficiency, and destabilization of the BOOST peg.
Impact
The protocol experiences a medium risk of inefficient swap operations and potential loss of funds due to invalid targetSqrtPriceX96 settings. This can lead to reduced liquidity efficiency, increased slippage, and destabilization of the BOOST peg, affecting user confidence and financial stability.
PoC
// SPDX-License-Identifier: MIT
pragma solidity 0.8.19;
import "./SolidlyV3AMO.sol";
contract SqrtPriceAttackV3 {
SolidlyV3AMO amo;
constructor(address amoAddress) {
amo = SolidlyV3AMO(amoAddress);
}
function exploit() public {
// Assume the attacker has SETTER_ROLE
// Set targetSqrtPriceX96_ to an extreme valid value within range
amo.setTargetSqrtPriceX96(MAX_SQRT_RATIO - 1);
}
}
Mitigation
1-Implement Comprehensive Validation:
Ensure that the new targetSqrtPriceX96_ aligns with the protocol's liquidity and rebalancing strategies.
function setTargetSqrtPriceX96(uint160 targetSqrtPriceX96_) public override onlyRole(SETTER_ROLE) {
require(targetSqrtPriceX96_ > MIN_SQRT_RATIO && targetSqrtPriceX96_ < MAX_SQRT_RATIO, "Invalid sqrtPriceX96 value");
// Additional logic to ensure target price aligns with liquidity strategies
require(_isValidTargetSqrtPrice(targetSqrtPriceX96_), "Target sqrtPriceX96 does not align with liquidity strategy");
targetSqrtPriceX96 = targetSqrtPriceX96_;
emit TargetSqrtPriceX96Set(targetSqrtPriceX96);
}
function _isValidTargetSqrtPrice(uint160 targetSqrtPriceX96_) internal view returns (bool) {
// Implement logic to validate target sqrt price based on current liquidity and protocol strategy
return true; // Placeholder for actual validation logic
}
2-Implement Multi-Signature Controls:
Require multiple approvals for setting critical parameters like targetSqrtPriceX96 to add an additional layer of security.
3-Regular Audits and Monitoring:
Continuously monitor targetSqrtPriceX96 settings to detect and prevent unauthorized or malicious changes promptly.
4-Role Management Best Practices:
Minimize the number of addresses with privileged roles and ensure roles are granted judiciously.
5-Comprehensive Testing:
Develop unit tests that simulate various targetSqrtPriceX96 configurations to ensure accurate and secure price targeting.
Summary
The insufficient validation in the setTargetSqrtPriceX96 function will cause a medium impact on the protocol's price targeting mechanism as an attacker with the SETTER_ROLE can set invalid or extreme targetSqrtPriceX96 values, leading to inefficient swaps and destabilizing the BOOST peg.
Root Cause
In SolidlyV3AMO.sol, the setTargetSqrtPriceX96 function performs basic validation by ensuring that the provided targetSqrtPriceX96_ is within predefined minimum and maximum ratios. However, it lacks comprehensive validation to ensure that the new target price aligns with the protocol's liquidity and rebalancing strategies, potentially allowing extreme or logically inconsistent values.
Relevant Code Snippet:
Internal pre-conditions
1-An account with the SETTER_ROLE needs to call setTargetSqrtPriceX96 to set a new target sqrt price. 2-The provided targetSqrtPriceX96_ is within the acceptable range defined by MIN_SQRT_RATIO and MAX_SQRT_RATIO.
External pre-conditions
1-The pool contract must function correctly with the specified targetSqrtPriceX96. 2-External market conditions do not render the targetSqrtPriceX96 setting ineffective or harmful.
Attack Path
1-The attacker, possessing the SETTERROLE, calls the setTargetSqrtPriceX96 function. 2-The attacker provides an extreme or logically inconsistent value for targetSqrtPriceX96 within the allowed range. 3-The contract accepts this value due to the lack of comprehensive validation. 4-The invalid targetSqrtPriceX96 disrupts the swap operations, leading to inefficient or harmful swaps. 5-This misconfiguration can result in loss of funds, reduced liquidity efficiency, and destabilization of the BOOST peg.
Impact
The protocol experiences a medium risk of inefficient swap operations and potential loss of funds due to invalid targetSqrtPriceX96 settings. This can lead to reduced liquidity efficiency, increased slippage, and destabilization of the BOOST peg, affecting user confidence and financial stability.
PoC
Mitigation
1-Implement Comprehensive Validation: Ensure that the new targetSqrtPriceX96_ aligns with the protocol's liquidity and rebalancing strategies.
2-Implement Multi-Signature Controls: Require multiple approvals for setting critical parameters like targetSqrtPriceX96 to add an additional layer of security. 3-Regular Audits and Monitoring: Continuously monitor targetSqrtPriceX96 settings to detect and prevent unauthorized or malicious changes promptly. 4-Role Management Best Practices: Minimize the number of addresses with privileged roles and ensure roles are granted judiciously. 5-Comprehensive Testing: Develop unit tests that simulate various targetSqrtPriceX96 configurations to ensure accurate and secure price targeting.