The returned value for "observe" call in twapFilter
doesn't round up for negative tick deltas
#248
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-195
grade-a
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
🤖_195_group
AI based duplicate group recommendation
Lines of code
https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/libraries/PanopticMath.sol#L253
https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/PanopticPool.sol#L1450
Vulnerability details
Impact
The
twapFilter
function is used in thegetUniV3TWAP
function, which is used to get current tick when theliquidate
andforceExercise
functions. This will cause that in case of a negative tick delta, the returned tick will be much bigger is desired and opens up cases of price manipiulations and arbitrage.Proof of Concept
The
twapFilter
function is used to get TWAP prices over a series of time intervals. The function usesuniv3pool.observe(secondsAgos)
to get tickCumulatives array which is then used to calculate int24twapMeasurement
. As theuniv3pool.observe()
function returns negative tickCummulative delta values sometimes, these values need to be rounded down which is what is noticed upon comparison with uniswap's oracle library.The function however account for this.
Tools Used
Manual code review
Recommended Mitigation Steps
Tick should be rounded down in that case:
Assessed type
Uniswap
The text was updated successfully, but these errors were encountered: