Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

0x52 - IchiLpOracle is extemely easy to manipulate due to how IchiVault calculates underlying token balances #20

Open
github-actions bot opened this issue Mar 1, 2023 · 0 comments
Open

0x52 - IchiLpOracle is extemely easy to manipulate due to how IchiVault calculates underlying token balances #20

github-actions bot opened this issue Mar 1, 2023 · 0 comments
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability High A valid High severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@github-actions
Copy link

github-actions bot commented Mar 1, 2023

0x52

high

IchiLpOracle is extemely easy to manipulate due to how IchiVault calculates underlying token balances

Summary

IchiVault#getTotalAmounts uses the UniV3Pool.slot0 to determine the number of tokens it has in it's position. slot0 is the most recent data point and is therefore extremely easy to manipulate. Given that the protocol specializes in leverage, the effects of this manipulation would compound to make malicious uses even easier.

Vulnerability Detail

ICHIVault.sol

function _amountsForLiquidity(
    int24 tickLower,
    int24 tickUpper,
    uint128 liquidity
) internal view returns (uint256, uint256) {
    (uint160 sqrtRatioX96, , , , , , ) = IUniswapV3Pool(pool).slot0();
    return
        UV3Math.getAmountsForLiquidity(
            sqrtRatioX96,
            UV3Math.getSqrtRatioAtTick(tickLower),
            UV3Math.getSqrtRatioAtTick(tickUpper),
            liquidity
        );
}

IchiVault#getTotalAmounts uses the UniV3Pool.slot0 to determine the number of tokens it has in it's position. slot0 is the most recent data point and can easily be manipulated.

https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/oracle/IchiLpOracle.sol#L27-L36

IchiLPOracle directly uses the token values returned by vault#getTotalAmounts. This allows a malicious user to manipulate the valuation of the LP. An example of this kind of manipulation would be to use large buys/sells to alter the composition of the LP to make it worth less or more.

Impact

Ichi LP value can be manipulated to cause loss of funds for the protocol and other users

Code Snippet

Tool used

Manual Review

Recommendation

Token balances should be calculated inside the oracle instead of getting them from the IchiVault. To determine the liquidity, use a TWAP instead of slot0.
@github-actions github-actions bot added Has Duplicates A valid issue with 1+ other issues describing the same vulnerability High A valid High severity issue labels Mar 1, 2023
This was referenced Mar 1, 2023
Closed
Closed
Closed
Closed
Closed
Closed
@Gornutz Gornutz added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Mar 8, 2023
@hrishibhat hrishibhat mentioned this issue Mar 14, 2023
Closed
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Mar 19, 2023
@code423n4 code423n4 mentioned this issue Mar 29, 2023
Closed
@sherlock-admin sherlock-admin mentioned this issue May 23, 2023
Closed
@Banditx0x Banditx0x mentioned this issue Nov 15, 2023
Closed
@c4-bot-5 c4-bot-5 mentioned this issue Apr 21, 2024
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability High A valid High severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Gornutz @sherlock-admin