Platform: Code4rena
Start Date: 04/03/2024
Pot Size: $88,500 USDC
Total HM: 31
Participants: 105
Period: 11 days
Judge: ronnyx2017
Total Solo HM: 7
Id: 342
League: ETH
Rank: 19/105
Findings: 1
Award: $737.08
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Bauchibred
737.0773 USDC - $737.08
https://github.com/code-423n4/2024-03-revert-lend/blob/main/src/V3Oracle.sol#L346 https://github.com/code-423n4/2024-03-revert-lend/blob/main/src/automators/Automator.sol#L187
If tickCumulatives[1] - tickCumulatives[0] is negative and ((tickCumulatives[1] - tickCumulatives[0]) % twapSeconds != 0, then returned tick will be bigger than it should be.
In V3Oracle contract, function _getReferencePoolPriceX96() is used by protocol to get average price.
The problem is that in case if tickCumulatives[1] - tickCumulatives[0] is negative, then timeWeightedTick should be rounded down like Uniswap library
As result, in case if tickCumulatives[1] - tickCumulatives[0] is negative and (tickCumulatives[1] - tickCumulatives[0]) % twapSeconds != 0, tick will be bigger then it should be. Which opens possibility for arbitrage opportunities.
Other instance of same issue: https://github.com/code-423n4/2024-03-revert-lend/blob/main/src/automators/Automator.sol#L187
Manual Review
Tick should be rounded down in this case:
int24 tick = int24((tickCumulatives[0] - tickCumulatives[1]) / int56(uint56(twapSeconds))); + if ((tickCumulatives[1] - tickCumulatives[0]) < 0 && ((tickCumulatives[1] - tickCumulatives[0]) % twapSeconds != 0)) tick--;
Context
#0 - c4-pre-sort
2024-03-22T07:16:09Z
0xEVom marked the issue as primary issue
#1 - c4-pre-sort
2024-03-22T07:16:17Z
0xEVom marked the issue as sufficient quality report
#2 - c4-pre-sort
2024-03-22T07:18:51Z
0xEVom marked the issue as duplicate of #498
#3 - c4-pre-sort
2024-03-25T12:11:36Z
0xEVom marked the issue as duplicate of #127
#4 - c4-judge
2024-04-01T08:25:21Z
jhsagd76 marked the issue as satisfactory
#5 - c4-judge
2024-04-01T15:41:25Z
jhsagd76 changed the severity to 3 (High Risk)