Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lack of Comprehensive Validation in setTargetSqrtPriceX96 Function Allows Setting Invalid SqrtPrice Values #14

Open
CipherHawk0 opened this issue Oct 14, 2024 · 0 comments
Open

Lack of Comprehensive Validation in setTargetSqrtPriceX96 Function Allows Setting Invalid SqrtPrice Values #14

CipherHawk0 opened this issue Oct 14, 2024 · 0 comments

Comments

@CipherHawk0
Copy link

Summary

The insufficient validation in the setTargetSqrtPriceX96 function will cause a medium impact on the protocol's price targeting mechanism as an attacker with the SETTER_ROLE can set invalid or extreme targetSqrtPriceX96 values, leading to inefficient swaps and destabilizing the BOOST peg.

Root Cause

In SolidlyV3AMO.sol, the setTargetSqrtPriceX96 function performs basic validation by ensuring that the provided targetSqrtPriceX96_ is within predefined minimum and maximum ratios. However, it lacks comprehensive validation to ensure that the new target price aligns with the protocol's liquidity and rebalancing strategies, potentially allowing extreme or logically inconsistent values.

Relevant Code Snippet:

function setTargetSqrtPriceX96(uint160 targetSqrtPriceX96_) public override onlyRole(SETTER_ROLE) {
    if (targetSqrtPriceX96_ <= MIN_SQRT_RATIO || targetSqrtPriceX96_ >= MAX_SQRT_RATIO) revert InvalidRatioValue();
    targetSqrtPriceX96 = targetSqrtPriceX96_;
    emit TargetSqrtPriceX96Set(targetSqrtPriceX96);
}

Internal pre-conditions

1-An account with the SETTER_ROLE needs to call setTargetSqrtPriceX96 to set a new target sqrt price.
2-The provided targetSqrtPriceX96_ is within the acceptable range defined by MIN_SQRT_RATIO and MAX_SQRT_RATIO.

External pre-conditions

1-The pool contract must function correctly with the specified targetSqrtPriceX96.
2-External market conditions do not render the targetSqrtPriceX96 setting ineffective or harmful.

Attack Path

1-The attacker, possessing the SETTER_ROLE, calls the setTargetSqrtPriceX96 function.
2-The attacker provides an extreme or logically inconsistent value for targetSqrtPriceX96_ within the allowed range.
3-The contract accepts this value due to the lack of comprehensive validation.
4-The invalid targetSqrtPriceX96 disrupts the swap operations, leading to inefficient or harmful swaps.
5-This misconfiguration can result in loss of funds, reduced liquidity efficiency, and destabilization of the BOOST peg.

Impact

The protocol experiences a medium risk of inefficient swap operations and potential loss of funds due to invalid targetSqrtPriceX96 settings. This can lead to reduced liquidity efficiency, increased slippage, and destabilization of the BOOST peg, affecting user confidence and financial stability.

PoC

// SPDX-License-Identifier: MIT
pragma solidity 0.8.19;

import "./SolidlyV3AMO.sol";

contract SqrtPriceAttackV3 {
    SolidlyV3AMO amo;

    constructor(address amoAddress) {
        amo = SolidlyV3AMO(amoAddress);
    }

    function exploit() public {
        // Assume the attacker has SETTER_ROLE
        // Set targetSqrtPriceX96_ to an extreme valid value within range
        amo.setTargetSqrtPriceX96(MAX_SQRT_RATIO - 1);
    }
}

Mitigation

1-Implement Comprehensive Validation:
Ensure that the new targetSqrtPriceX96_ aligns with the protocol's liquidity and rebalancing strategies.

function setTargetSqrtPriceX96(uint160 targetSqrtPriceX96_) public override onlyRole(SETTER_ROLE) {
    require(targetSqrtPriceX96_ > MIN_SQRT_RATIO && targetSqrtPriceX96_ < MAX_SQRT_RATIO, "Invalid sqrtPriceX96 value");
    // Additional logic to ensure target price aligns with liquidity strategies
    require(_isValidTargetSqrtPrice(targetSqrtPriceX96_), "Target sqrtPriceX96 does not align with liquidity strategy");
    targetSqrtPriceX96 = targetSqrtPriceX96_;
    emit TargetSqrtPriceX96Set(targetSqrtPriceX96);
}

function _isValidTargetSqrtPrice(uint160 targetSqrtPriceX96_) internal view returns (bool) {
    // Implement logic to validate target sqrt price based on current liquidity and protocol strategy
    return true; // Placeholder for actual validation logic
}

2-Implement Multi-Signature Controls:
Require multiple approvals for setting critical parameters like targetSqrtPriceX96 to add an additional layer of security.
3-Regular Audits and Monitoring:
Continuously monitor targetSqrtPriceX96 settings to detect and prevent unauthorized or malicious changes promptly.
4-Role Management Best Practices:
Minimize the number of addresses with privileged roles and ensure roles are granted judiciously.
5-Comprehensive Testing:
Develop unit tests that simulate various targetSqrtPriceX96 configurations to ensure accurate and secure price targeting.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@CipherHawk0