Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UniV3 Oracle Manipulation on L2s #345

Open
c4-bot-5 opened this issue Jun 11, 2024 · 0 comments
Open

UniV3 Oracle Manipulation on L2s #345

c4-bot-5 opened this issue Jun 11, 2024 · 0 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working edited-by-warden 🤖_45_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality

Comments

@c4-bot-5
Copy link
Contributor

c4-bot-5 commented Jun 11, 2024
edited
Loading

Lines of code

https://github.com/code-423n4/2024-05-predy/blob/a9246db5f874a91fb71c296aac6a66902289306a/src/libraries/UniHelper.sol#L35

Vulnerability details

Impact

The cost of manipulating the TWAP in L2 network is too low so TWAP should not be used in L2

Proof of Concept

Predy uses TWAP prices in places such as when liquidating a user.
According to the information provided by the Uniswap team, as documented in the Uniswap Oracle Integration on Layer 2 Rollups guide, primarily addresses the integration of Uniswap oracle on L2 Optimism. However, it is relevant to note that the same concerns apply to Arbitrum as well. Arbitrum's average block time is approximately 0.25 seconds, making it vulnerable to potential oracle price manipulation.

Oracles Integrations on Layer 2 Rollups

On Optimism, every transaction is confirmed as an individual block. The block.timestamp of these blocks, however, reflect the block.timestamp of the last L1 block ingested by the Sequencer. For this reason, Uniswap pools on Optimism are not suitable for providing oracle prices, as this high-latency block.timestamp update process makes the oracle much less costly to manipulate. In the future, it's possible that the Optimism block.timestamp will have much higher granularity (with a small trust assumption in the Sequencer), or that forced inclusion transactions will improve oracle security. For more information on these potential upcoming changes, please see the Optimistic Specs repo. For the time being, usage of the oracle feature on Optimism should be avoided.

In predy The Oracle period is even hardcoded to 30 mins which makes the manipulation much easy.
And After getting the twap period it calculates the price of the already manipulated pool in here

/.......
....
...
        int56[] memory tickCumulatives = abi.decode(data, (int56[]));

        int24 tick = int24((tickCumulatives[1] - tickCumulatives[0]) / int56(int256(ago)));

        uint160 sqrtPriceX96 = TickMath.getSqrtRatioAtTick(tick);

        return (sqrtPriceX96, ago);

Tools Used

Uniswap

Recommended Mitigation Steps

Fetch the oracle source from chainlink in place of twap

Assessed type

Uniswap
@c4-bot-5 c4-bot-5 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jun 11, 2024
c4-bot-3 added a commit that referenced this issue Jun 11, 2024
@c4-bot-3
MSaptarshi issue #345
52f32d9
@c4-bot-5 c4-bot-5 changed the title UniV3 Oracle unsafe on L2s UniV3 Oracle Manipulation on L2s Jun 11, 2024
@c4-bot-12 c4-bot-12 added the 🤖_45_group AI based duplicate group recommendation label Jun 14, 2024
howlbot-integration bot added a commit that referenced this issue Jun 19, 2024
@howlbot-integration
MSaptarshi update issue #345
42dbd23
@howlbot-integration howlbot-integration bot added the sufficient quality report This report is of sufficient quality label Jun 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working edited-by-warden 🤖_45_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@code4rena-admin @c4-bot-5 @c4-bot-12