Usage of slot0's information is prone to manipulation attack #12
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-23
grade-a
Q-05
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Lines of code
https://github.com/code-423n4/2023-12-particle/blob/main/contracts/libraries/Base.sol#L183
https://github.com/code-423n4/2023-12-particle/blob/main/contracts/libraries/Base.sol#L326
Vulnerability details
Impact
slot0 is the most recent data point that can be manipulated trough swap and flash loan. Operations that rely in this data are susceptible to price manipulation attack.
Proof of Concept
It can be observed that slot0 price is used when calculating
getRequiredRepay
, this will calculate amount need to be repaid when closing or liquidating traders position.https://github.com/code-423n4/2023-12-particle/blob/main/contracts/libraries/Base.sol#L163-L192
Traders can leverage flash loan to sandwich the operation so it become profitable for them when calculating the amount that need to be provided back to the LPs liquidity position.
https://github.com/code-423n4/2023-12-particle/blob/main/contracts/protocol/ParticlePositionManager.sol#L410-L439
Tools Used
Manual review.
Recommended Mitigation Steps
Use TWAP for the price inside the operation.
Assessed type
Uniswap
The text was updated successfully, but these errors were encountered: