Platform: Code4rena
Start Date: 26/09/2022
Pot Size: $50,000 USDC
Total HM: 13
Participants: 113
Period: 5 days
Judge: 0xean
Total Solo HM: 6
Id: 166
League: ETH
Rank: 83/113
Findings: 1
Award: $35.48
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xSmartContract
Also found by: 0xDecorativePineapple, 0xNazgul, 0xmatt, Jeiwan, Trust, berndartmueller, brgltd, catchup, ch13fd357r0y3r, cryptonue, ladboy233, minhtrng, neko_nyaa, rbserver, rvierdiiev, s3cunda
35.4829 USDC - $35.48
In Quickswap, the same AlgebraPoolDeployer deploys all pairs (using createPool). An attacker can wait for Quickswap to create the factory and then create all the popular coin pairs using the permissionless createPool. They may then call the permissionless initialize() pool function to set an unreasonably low or high initial price ( 2^-128 or 2^128). Price only changes during swap operations as liquidity is consumed. The bad price will mess up the limitSqrtPrice check during swaps, making users either unable to use the pool, or not be able to set reasonable slippage and open himself up to large MEV losses.
The relevant section in swap inner function _calculateSwapAndLock:
if (zeroToOne) { require(limitSqrtPrice < currentPrice && limitSqrtPrice > TickMath.MIN_SQRT_RATIO, 'SPL'); cache.totalFeeGrowth = totalFeeGrowth0Token; cache.communityFee = _communityFeeToken0; } else { require(limitSqrtPrice > currentPrice && limitSqrtPrice < TickMath.MAX_SQRT_RATIO, 'SPL'); cache.totalFeeGrowth = totalFeeGrowth1Token; cache.communityFee = _communityFeeToken1; }
Affected pairs will not be able to be used, or factory will need to be redeployed and the entire liquidity migrated.
Manual audit.
Insert a check that the current price is appropriate before enforcing it with limitSqrtPrice.
#0 - 0xean
2022-10-02T21:48:27Z
dupe of #84
#1 - trust1995
2022-10-04T07:06:35Z
@0xean Isn't the attack description here different enough from #84 for it to be another attack?
#2 - sameepsi
2022-10-04T07:09:18Z
Looks the same to me.