__141345__ - Spot price in getOwnValuation() could be manipulated

[sherlock-admin]

141345

medium

Spot price in getOwnValuation() could be manipulated

Summary

getOwnValuation() is using uniPool.slot0() to get the spot price sqrtPriceX96 for valuation, which could be easily manipulated.

Vulnerability Detail

sqrtPriceX96 is the spot price in the pool. The malicious user can dump large amount to manipulate this price. Especially for low liquidity pools, the manipulation can be even easier.

File: ussd-contracts/contracts/USSDRebalancer.sol
71:     function getOwnValuation() public view returns (uint256 price) {
72:       (uint160 sqrtPriceX96,,,,,,) =  uniPool.slot0();
73:       if(uniPool.token0() == USSD) {
74:         price = uint(sqrtPriceX96)*(uint(sqrtPriceX96))/(1e6) >> (96 * 2);
75:       } else {
76:         price = uint(sqrtPriceX96)*(uint(sqrtPriceX96))*(1e18 /* 1e12 + 1e6 decimal representation */) >> (96 * 2);
77:         // flip the fraction
78:         price = (1e24 / price) / 1e12;
79:       }
80:     }

The result is used in rebalance()

File: ussd-contracts/contracts/USSDRebalancer.sol
92:     function rebalance() override public {
93:       uint256 ownval = getOwnValuation();

A malicious user can take advantage of the manipulated price, maybe take profit from trading USSD and collaterals in the uniswap pool in control.

Impact

getOwnValuation() could return inaccurate result, and rebalance() function relies on this to trade USSD and collaterals. A malicious user could abuse this to influence the rebalance() and take profit.

Code Snippet

https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/USSDRebalancer.sol#L71-L80

Tool used

Manual Review

Recommendation

Use TWAP price in getOwnValuation().

Duplicate of #451