Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Usage of slot 0 to get sqrtPriceLimitX96 can be easily manipulated #46

Closed
howlbot-integration bot opened this issue Nov 4, 2024 · 2 comments
Closed

Usage of slot 0 to get sqrtPriceLimitX96 can be easily manipulated #46

howlbot-integration bot opened this issue Nov 4, 2024 · 2 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-27 🤖_03_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@howlbot-integration
Copy link

Lines of code

https://github.com/ronin-chain/katana-v3-contracts/blob/03c80179e04f40d96f06c451ea494bb18f2a58fc/src/core/KatanaV3Pool.sol#L43

Vulnerability details

The sqrtPriceX96 is derived from `slot0(), which can be easily manipulate.

struct Slot0 {
// the current price
uint160 sqrtPriceX96;
// the current tick
int24 tick;
// the most-recently updated index of the observations array
uint16 observationIndex;
// the current maximum number of observations that are being stored
uint16 observationCardinality;
// the next maximum number of observations to store, triggered in observations.write
uint16 observationCardinalityNext;
// the numerator of the current protocol fee which is a ratio of the swap fee
uint8 feeProtocolNum;
// the denominator of the current protocol fee which is a ratio of the swap fee
uint8 feeProtocolDen;
// whether the pool is locked
bool unlocked;
}

This report below inspired this bug report and it is similar to this situatiom
Example: https://solodit.cyfrin.io/issues/h-02-use-of-slot0-to-get-sqrtpricelimitx96-can-lead-to-price-manipulation-code4rena-maia-dao-ecosystem-maia-dao-ecosystem-git

Recommended Mitigation Steps

Use the TWAP function to get the value of sqrtPriceX96.

Assessed type

Oracle
@howlbot-integration howlbot-integration bot added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value 🤖_03_group AI based duplicate group recommendation bug Something isn't working duplicate-27 sufficient quality report This report is of sufficient quality labels Nov 4, 2024
howlbot-integration bot added a commit that referenced this issue Nov 4, 2024
@howlbot-integration
mjcpwns issue #46
a66f466
@nevillehuang
Copy link

Likely invalid and OOS per contest details. This is likely a known uniswapv3 issue

All public known issues, including public audit reports of Uniswap V3 that affect Katana V3

Many issues lack sufficient description of the issue as well, e.g. #validation-178, #validation-47

@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Nov 11, 2024
@c4-judge
Copy link

alex-ppg marked the issue as unsatisfactory:
Invalid

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-27 🤖_03_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nevillehuang @c4-judge