Lines of code
Vulnerability details
Impact
there is a problem in that contract especiall when updating tickTrackingIndex within the loop an attacker can manipulate the values of enterTimestamp and exitTimestamp to force tickActiveEnd to be significantly larger than tickActiveStart inflate the timeWeightedWeeklyPositionInRangeConcLiquidity_ with a disproportionately high value and this cal lead to an improper distribution of rewards
Proof of Concept
as scenario for exploiting the vulnerability :
- an attacker monitors the contractโs behavior and notices a predictable pattern of tick entry and exit events.
- The attacker submits a transaction right before a tick is about to be exited. They use a custom script to monitor tick behavior and blockchain events, allowing them to predict this timing accurately.
- Their transaction triggers the setting of exitTimestamp just after their transactionโs timestamp, due to the tick exit event.
- This causes an artificial increase in the tickActiveEnd variable, which is later used to calculate rewards.
As a result, the attacker receives a disproportionately high reward compared to other users, even though their position was not actively contributing liquidity for an extended period.
Tools Used
MANUAL REVIEW
Recommended Mitigation Steps
itโs most Check that enterTimestamp and exitTimestamp are consistent with the actual tick entry and exit events, and reject transactions with manipulated timestamps.
Assessed type
Other
The text was updated successfully, but these errors were encountered:
All reactions