Skip to content

Latest commit

 

History

History
80 lines (53 loc) · 2.66 KB

083.md

File metadata and controls

80 lines (53 loc) · 2.66 KB

Obedient Umber Osprey

Medium

Usage Of slot0 To Get sqrtPriceLimitX96 Is Extremely Prone To Manipulation

Summary

In the getV3SqrtHighestPrice function in the NumaOracle.sol contract and the UniswapV3.slot0 is used to get the value ofsqrtPriceX96`.

The usage of slot0 is extremely prone to manipulation. The [slot0](https://docs.uniswap.org/contracts/v3/reference/core/interfaces/pool/IUniswapV3PoolState#slot0) in the pool stores many values, and is exposed as a single method to save gas when accessed externally. The data can change with any frequency including multiple times per transaction.

Root Cause

https://github.com/sherlock-audit/2024-12-numa-audit/blob/main/Numa/contracts/NumaProtocol/NumaOracle.sol#L168 function getV3SpotPrice( address _numaPool, uint _numaAmount ) external view returns (uint256) { (uint160 sqrtPriceX96, , , , , , ) = IUniswapV3Pool(_numaPool).slot0();

https://github.com/sherlock-audit/2024-12-numa-audit/blob/main/Numa/contracts/NumaProtocol/NumaOracle.sol#L270 function getV3SqrtLowestPrice( address _uniswapV3Pool, uint32 _intervalShort, uint32 _intervalLong ) public view returns (uint160) { require( _intervalLong > _intervalShort, "intervalLong must be longer than intervalShort" );

    uint160 sqrtPriceX96;

    //Spot price of the token
    (uint160 sqrtPriceX96Spot, , , , , , ) = IUniswapV3Pool(_uniswapV3Pool)
        .slot0();

https://github.com/sherlock-audit/2024-12-numa-audit/blob/main/Numa/contracts/NumaProtocol/NumaOracle.sol#L341 function getV3SqrtHighestPrice( address _uniswapV3Pool, uint32 _intervalShort, uint32 _intervalLong ) public view returns (uint160) { require( _intervalLong > _intervalShort, "intervalLong must be longer than intervalShort" );

    uint160 sqrtPriceX96;
    //Spot price of the token
    (uint160 sqrtPriceX96Spot, , , , , , ) = IUniswapV3Pool(_uniswapV3Pool)
        .slot0();

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

The sqrtPriceX96 is pulled from Uniswap.slot0, which is the most recent data point and can be manipulated easily via MEV bots and Flashloans with sandwich attacks, which can cause the loss of funds when interacting with Uniswap.swap function. This could lead to wrong calculations and loss of funds for the protocol and other users.

PoC

No response

Mitigation

No response