Platform: Code4rena
Start Date: 04/03/2024
Pot Size: $88,500 USDC
Total HM: 31
Participants: 105
Period: 11 days
Judge: ronnyx2017
Total Solo HM: 7
Id: 342
League: ETH
Rank: 99/105
Findings: 1
Award: $6.61
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: b0g0
Also found by: 0x175, 0xAlix2, 0xblackskull, 0xspryon, 14si2o_Flint, Fitro, Giorgio, MSaptarshi, MohammedRizwan, Silvermist, boredpukar, crypticdefense, grearlake, kfx, maxim371, y0ng0p3
6.6125 USDC - $6.61
pool.slot0` can be easily manipulated via flash loans to sandwich attack users. The sqrtPriceX96 is pulled from Uniswap.slot0, which is the most recent data point and can be manipulated easily via MEV bots and Flashloans with sandwich attacks; which can cause the loss of funds when interacting with the Uniswap.swap function.
https://github.com/code-423n4/2024-03-revert-lend/blob/435b054f9ad2404173f36f0f74a5096c894b12b7/src/V3Oracle.sol#L363
https://github.com/code-423n4/2024-03-revert-lend/blob/435b054f9ad2404173f36f0f74a5096c894b12b7/src/V3Oracle.sol#L357-L374
Manual Review
Use UniswapV3 TWAP or Chainlink Price Oracle.
Uniswap
#0 - c4-pre-sort
2024-03-19T10:03:00Z
0xEVom marked the issue as duplicate of #191
#1 - c4-pre-sort
2024-03-19T10:03:06Z
0xEVom marked the issue as sufficient quality report
#2 - c4-pre-sort
2024-03-19T10:03:09Z
0xEVom marked the issue as insufficient quality report
#3 - c4-judge
2024-03-31T14:28:11Z
jhsagd76 marked the issue as duplicate of #175
#4 - c4-judge
2024-03-31T14:43:41Z
jhsagd76 marked the issue as partial-50
#5 - c4-judge
2024-04-01T15:43:40Z
jhsagd76 changed the severity to 2 (Med Risk)