Lines of code

Vulnerability details

Impact

there is a problem in that contract especiall when updating tickTrackingIndex within the loop an attacker can manipulate the values of enterTimestamp and exitTimestamp to force tickActiveEnd to be significantly larger than tickActiveStart inflate the timeWeightedWeeklyPositionInRangeConcLiquidity_ with a disproportionately high value and this cal lead to an improper distribution of rewards

Proof of Concept

as scenario for exploiting the vulnerability :

• an attacker monitors the contract’s behavior and notices a predictable pattern of tick entry and exit events.
• The attacker submits a transaction right before a tick is about to be exited. They use a custom script to monitor tick behavior and blockchain events, allowing them to predict this timing accurately.
• Their transaction triggers the setting of exitTimestamp just after their transaction’s timestamp, due to the tick exit event.
• This causes an artificial increase in the tickActiveEnd variable, which is later used to calculate rewards.
  As a result, the attacker receives a disproportionately high reward compared to other users, even though their position was not actively contributing liquidity for an extended period.

Tools Used

MANUAL REVIEW

Recommended Mitigation Steps

it’s most Check that enterTimestamp and exitTimestamp are consistent with the actual tick entry and exit events, and reject transactions with manipulated timestamps.

Assessed type

Other

The text was updated successfully, but these errors were encountered:

All reactions