Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Incorrect TWAP Calculation Due to Neglecting Proper Rounding for Negative Deltas

sparrow

Summary

The LibUniswapOracle library contains a critical flaw in its implementation of the Time Weighted Average Price (TWAP) calculation from Uniswap V3 pools. Specifically, the calculation of the arithmetic mean tick within the consult function does not properly handle negative tick cumulative deltas, leading to incorrect TWAP values. This oversight can significantly impact the accuracy of price data used in critical protocol operations, potentially leading to financial losses and undermining trust in the protocol.

Vulnerability Details

The core issue resides in the calculation of the arithmetic mean tick, which is a pivotal component of the TWAP computation. When the pool's price decreases over the observation period, resulting in a negative tick cumulative delta, the current calculation fails to correctly round down the tick value. This discrepancy can cause the calculated TWAP to be inaccurately inflated, affecting all functionalities dependent on precise price data.

In contrast to the original Uniswap V3 implementation, which included a check for negative tick deltas to ensure proper rounding, the LibUniswapOracle library omits this critical validation. As a result, the library may produce incorrect TWAP values under certain market conditions, compromising the integrity of the protocol's operations.
https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/4e0ad0b964f74a1b4880114f4dd5b339bc69cd3e/protocol/contracts/libraries/Oracle/LibUniswapOracle.sol#L46-L70

Impact

The current implementation fails to correctly handle scenarios where the tickCumulativesDelta is negative. This can lead to incorrect calculations of the arithmetic mean tick, especially when the pool's price trend is downward over the secondsAgo period. Such inaccuracies could result in misleading price information provided by the Uniswap Oracle, potentially impacting trading decisions and financial outcomes for users and protocols relying on this data.

Tools Used

Manual Code Review

Recommended Mitigation

The consult function should be revised to incorporate the rounding logic originally present in the Uniswap V3 implementation. This adjustment involves reintroducing a check for negative tick cumulative deltas and adjusting the tick value accordingly to ensure proper rounding down

int24 tick = int24((tickCumulatives[1] - tickCumulatives[0]) / int56(int256(ago)));

if ((tickCumulatives[1] - tickCumulatives[0]) < 0 && (tickCumulatives[1] - tickCumulatives[0]) % int56(int256(ago)) != 0) {

tick--;

}

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.