Use of slot 0 is easy to manipulate #285
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-157
🤖_05_group
AI based duplicate group recommendation
sufficient quality report
This report is of sufficient quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2024-05-predy/blob/a9246db5f874a91fb71c296aac6a66902289306a/src/libraries/UniHelper.sol#L14
Vulnerability details
Impact
the getSqrtPrice is pulled from Uniswap.slot0, which is the most recent data point and can be manipulated easily via MEV bots and Flashloans with sandwich attacks; which can cause the loss of funds when interacting with the Uniswap.swap function.
Proof of Concept
slot0 is the most recent data point and is therefore extremely easy to manipulate. The protocol uses slot0 to fetch the prices while performing a swap during executing a order.
An attacker can simply manipulate the getSqrtPrice and the token will be bought at a higher price and the attacker would run the transaction to sell; thereby earning gains but causing a loss of funds to whoever called those functions.
Tools Used
Uniswap
Recommended Mitigation Steps
Use the TWAP instead of slot0.
Assessed type
Uniswap
The text was updated successfully, but these errors were encountered: