Zellic - Audit Reports

Impact of manipulations of the Uniswap pool price

In this section, we discuss the impact of manipulations of the Uniswap pool price by a possible attacker within a single transaction, that is without manipulating the time-weighted average price. Let us denote the two tokens by $X$ and $Y$ . We assume that the time-weighted average price is $P$ (this is in units of $\frac{Y}{X}$ ), and in the positive direction, the onlyCalmPeriods modifier checks that the current price at the time of invocation $p$ satisfies $p \leq (1 + d) \cdot P$ for some constant $d \geq 0$ . We will sketch an attack scenario in which the attacker attempts to use price manipulations in order to steal value from the vault/strategy contracts, and we will attempt to estimate (making some simplifications along the way) under what conditions, in particular what value of $d$ , the attacker can make a profit. We assume the price before the attacker begins is $P$ and that the value of the strategy contract's position is $V$ (in units of $Y$ ).

The attacker takes the following actions with funds of tokens $X$ and $Y$ potentially obtained from a flash loan, and paid back at the end. We will expand on the precise amounts later.

They buy a large amount of $X$ in the Uniswap pool with their $Y$ , moving the price to $p = (1 + d) \cdot P$ .
They deposit some tokens $X$ into the vault.
They sell a large amount of $X$ in the Uniswap pool, moving the price back to $P$ .
They withdraw their share of the vault.

Step 1: Manipulating the price

To simplify our calculations, we assume that the liquidity provided by the strategy to the Uniswap pool is centered around the tick corresponding to the price $P$ , with a very small width, so that we can ignore the price change while trading within that position for the purposes of our estimate. This position, valued $V$ in total, is composed of $X$ and $Y$ so that half of the value is in each of the two tokens, so it consists of $a_{Y} = \frac{V}{2}$ tokens $Y$ and $a_{X} = \frac{V}{2 \cdot P}$ tokens $X$ .

The attackers buying converts the strategy's position entirely to token $Y$ , so the attacker will pay $a_{Y}$ in $Y$ for this and receive $a_{X}$ in $X$ . Beyond that, let us assume that the rest of the liquidity in the Uniswap pool amounts to having to pay $b_{Y}$ in $Y$ and obtain $b_{X}$ in $X$ to move the price to $p = (1 + d) \cdot P$ .

The above was without fees. Let us assume the fee rate for the Uniswap pool is $γ$ , for example $γ = 1.0005$ (i.e., 0.05%). Then after Step 1, the attacker has paid $(a_{Y} + b_{Y}) \cdot (1 - γ)^{- 1}$ of token $Y$ and received $a_{X} + b_{X}$ of token $X$ .

Step 2: Depositing tokens

The attacker now deposits $c_{X}$ tokens $X$ . Note that due to this step, we must restrict our price manipulation in such a way as to pass the onlyCalmPeriods check.

The first thing that will happen is that the strategy removes its liquidity. Ignoring the minor amount of fees, this results in the entire value $V$ being returned in the form of token $Y$ . The price of the $c_{X}$ tokens $X$ contributed by the attacker is $c_{X} \cdot (1 + d) \cdot P$ . If the total amount of shares before was $T$ , then the attacker thus receives $\frac{T \cdot c _{X} \cdot ( 1 + d ) \cdot P}{V}$ .

The strategy contract will then provide liquidity to the Uniswap pool around the current price, providing $c_{X}$ of token $X$ and $V$ of token $Y$ .

Step 3: Returning the price to normal

To trade back the price in the Uniswap pool to where it was before, the attacker first needs to trade through the strategy contract's position, which means converting the tokens $Y$ to $X$ , at a price of $(1 + d) \cdot P$ (we again ignore the price changes due to the width of the position). As the strategy contract's position consisted of $V$ of token $Y$ , the attacker must pay $d_{X} = \frac{V}{( 1 + d ) \cdot P}$ of token $X$ for this without fees, and they receive $V$ of token $Y$ in return.

After that, the attacker has to pay $b_{X}$ in $X$ and receive $b_{Y}$ in $Y$ , reverting the trade regarding the remaining liquidity in the pool between the prices.

Taking into account Uniswap fees, in total the attacker has to pay $(d_{X} + b_{X}) \cdot (1 - γ)^{- 1}$ in $X$ and receives $V + b_{Y}$ in token $Y$ .

Step 4: Withdrawing the shares

When withdrawing the shares, the strategy will first withdraw its liquidity, which amounts to $c_{X} + d_{X}$ of token $X$ . We can rewrite this as follows.

c_{X} + d_{X} = c_{X} + \frac{V}{( 1 + d ) \cdot P} = \frac{c _{X} \cdot ( 1 + d ) \cdot P + V}{( 1 + d ) \cdot P}

The attacker holds $\frac{T \cdot c _{X} \cdot ( 1 + d ) \cdot P}{V}$ of a total of $T + \frac{T \cdot c _{X} \cdot ( 1 + d ) \cdot P}{V}$ shares, and so they receive the following amount of tokens $X$ . They thus receive the following amount of tokens $X$ .

e_{X} = \frac{T \cdot c _{X} \cdot ( 1 + d ) \cdot P}{V} \cdot (T + \frac{T \cdot c _{X} \cdot ( 1 + d ) \cdot P}{V})^{- 1} \cdot (c_{X} + d_{X}) = \frac{T \cdot c _{X} \cdot ( 1 + d ) \cdot P}{V} \cdot (\frac{T \cdot V + T \cdot c _{X} \cdot ( 1 + d ) \cdot P}{V})^{- 1} \cdot (c_{X} + d_{X}) = \frac{T \cdot c _{X} \cdot ( 1 + d ) \cdot P}{T \cdot V + T \cdot c _{X} \cdot ( 1 + d ) \cdot P} \cdot (c_{X} + d_{X}) = \frac{c _{X} \cdot ( 1 + d ) \cdot P}{V + c _{X} \cdot ( 1 + d ) \cdot P} \cdot \frac{c _{X} \cdot ( 1 + d ) \cdot P + V}{( 1 + d ) \cdot P} = c_{X}

End result for the vault

At the end, the vault is left with only tokens $X$ . Let us calculate their worth in terms of token $Y$ in order to compare with the original worth of $V$ .

V_{a f t er} = ((c_{X} + d_{X}) - e_{X}) \cdot P = c_{X} + (\frac{V}{( 1 + d ) \cdot P} - c_{X}) \cdot P = \frac{V}{( 1 + d ) \cdot P} \cdot P = \frac{V}{( 1 + d )}

According to the above formula, the vault/strategy contracts lose value, with loss increasing the bigger $d > 0$ is. For very small $d$ , this loss might be offset by the fees collected during the attack. For the first step, the fees collected will be about $\frac{V}{2} \cdot \frac{γ}{1 - γ}$ in token $Y$ . The fees collected when trading back will be about $\frac{V}{( 1 + d ) \cdot P} \cdot \frac{γ}{1 - γ}$ in token $X$ . The total worth of the fees is thus, in $Y$ ,

V_{f ees} = \frac{V}{2} \cdot \frac{γ}{1 - γ} + \frac{V}{( 1 + d ) \cdot P} \cdot \frac{γ}{1 - γ} \cdot P = V \cdot (\frac{1}{2} + \frac{1}{1 + d}) \cdot \frac{γ}{1 - γ}

We can easily check that these results are plausible: the strategy traded its entire value from one token to the other at the unfavorable price of $(1 + d) \cdot P$ instead of $P$ , so $V_{a f t er}$ is as one would expect. Similarly, fees collected come from trading half of the liquidity at the start, and then the entire liquidity, but at the unfavorable price, so $\frac{1}{2} + \frac{1}{1 - d}$ is as expected as well.

Conditions under which the vault makes a loss

For what $d$ will the fees we just estimated offset the loss? For the vault not losing value on this attack, we obtain the following, assuming $γ < 2/3$ :

⟺ ⟺ ⟺ ⟺ ⟺ ⟺ \frac{V}{( 1 + d )} + V \cdot (\frac{1}{2} + \frac{1}{1 + d}) \cdot \frac{γ}{1 - γ} \geq V \frac{1}{( 1 + d )} + (\frac{1}{2} + \frac{1}{1 + d}) \cdot \frac{γ}{1 - γ} \geq 1 \frac{1 + \frac{γ}{1 - γ}}{( 1 + d )} + \frac{γ}{2 - 2 γ} \geq 1 \frac{1 + \frac{γ}{1 - γ}}{( 1 + d )} \geq 1 - \frac{γ}{2 - 2 γ} \frac{1 + \frac{γ}{1 - γ}}{1 - \frac{γ}{2 - 2 γ}} \geq 1 + d \frac{1 + \frac{γ}{1 - γ}}{1 - \frac{γ}{2 - 2 γ}} - 1 \geq d

Let us calculate this for a concrete value for $γ$ . Uniswap V3 pools can have different fees. A lower fee will be worse for the vault/strategy here, so to be conservative, let us consider a low fee of 0.01%, for which there for example exists a DAI/USDC pool with significant activity. Using this script,

gamma = 0.0001
num = 1 + (gamma / (1-gamma))
denom =  1 - (gamma / 2*(1 - gamma))
result = num/denom - 1
print(result)

we obtain that we must have roughly $d < 0.00015$ to not make a loss, amounting to a relative price change from the time-weighted average price of at most 0.015%. It thus might not always be feasible to prevent this kind of attack by choosing $d$ in such a way that the vault/strategy will never make a loss; prevention must hinge on the attacker being unable to make a profit instead (due to having to trade through the rest of the liquidity providers' liquidity as well).

End result for the attacker

Let us calculate the net amount of token $X$ and $Y$ the attacker gained. We obtain the following.

Δ_{X} = a_{X} + b_{X} - c_{X} - (d_{X} + b_{X}) \cdot (1 - γ)^{- 1} + c_{X} = a_{X} + b_{X} - (d_{X} + b_{X}) \cdot (1 - γ)^{- 1} = \frac{V}{2 \cdot P} + b_{X} - (\frac{V}{( 1 + d ) \cdot P} + b_{X}) \cdot (1 - γ)^{- 1} = \frac{V}{2 \cdot P} - \frac{V}{( 1 + d ) \cdot P \cdot ( 1 - γ )} - b_{X} \cdot \frac{γ}{1 - γ} = \frac{V}{P} \cdot (\frac{1}{2} - \frac{1}{( 1 + d ) \cdot ( 1 - γ )}) - b_{X} \cdot \frac{γ}{1 - γ}

Δ_{Y} = - (a_{Y} + b_{Y}) \cdot (1 - γ)^{- 1} + V + b_{Y} = - (\frac{V}{2} + b_{Y}) \cdot (1 - γ)^{- 1} + V + b_{Y} = \frac{V \cdot ( 1 - 2 γ )}{2 \cdot ( 1 - γ )} - b_{Y} \cdot \frac{γ}{1 - γ}

Let us convert the total value to token $Y$ . To simplify, we assume that the liquidity in the Uniswap pool was concentrated around the price $P$ , so that we can estimate $b_{Y} = b_{X} \cdot P$ . Then we obtain

Δ_{X} \cdot P + Δ_{Y} = V \cdot (\frac{1}{2} - \frac{1}{( 1 + d ) \cdot ( 1 - γ )}) - b_{Y} \cdot \frac{γ}{1 - γ} + \frac{V \cdot ( 1 - 2 γ )}{2 \cdot ( 1 - γ )} - b_{Y} \cdot \frac{γ}{1 - γ} = V \cdot (\frac{1}{2} - \frac{1}{( 1 + d ) \cdot ( 1 - γ )} + \frac{1 - 2 γ}{2 \cdot ( 1 - γ )}) - b_{Y} \cdot \frac{2 γ}{1 - γ}

We can check plausibility of this formula: the $V \cdot (\frac{1}{2} - \frac{1}{( 1 + d ) \cdot ( 1 - γ )} + \frac{1 - 2 γ}{2 \cdot ( 1 - γ )})$ part comes from the attacker trading with the strategy's positions. If we set $γ = 0$ , this would be $V \cdot (1 - \frac{1}{( 1 + d )})$ , which corresponds to buying the strategy's entire balance while only needing to pay $\frac{1}{1 + d}$ of the fair price for it, which is exactly what the attack is doing, so this is exactly as we would expect. The occurence of $γ$ lowers the value due to losses due to fees. The $b_{Y} \cdot \frac{2 γ}{1 - γ}$ part is then from the fees required to trade through the other liquidity provider's liquidity twice.

Conditions under which the attack is profitable

Given a certain ratio between $V$ and $b_{Y}$ , say $r = V / b_{Y}$ , what values of $d$ allow the attacker to make a profit? We obtain

⟺ ⟺ ⟺ ⟺ ⟺ ⟺ V \cdot (\frac{1}{2} - \frac{1}{( 1 + d ) \cdot ( 1 - γ )} + \frac{1 - 2 γ}{2 \cdot ( 1 - γ )}) - b_{Y} \cdot \frac{2 γ}{1 - γ} \geq 0 r \cdot b_{Y} \cdot (\frac{1}{2} - \frac{1}{( 1 + d ) \cdot ( 1 - γ )} + \frac{1 - 2 γ}{2 \cdot ( 1 - γ )}) - b_{Y} \cdot \frac{2 γ}{1 - γ} \geq 0 r \cdot (\frac{1}{2} - \frac{1}{( 1 + d ) \cdot ( 1 - γ )} + \frac{1 - 2 γ}{2 \cdot ( 1 - γ )}) - \frac{2 γ}{1 - γ} \geq 0 \frac{1}{2} - \frac{1}{( 1 + d ) \cdot ( 1 - γ )} + \frac{1 - 2 γ}{2 \cdot ( 1 - γ )} \geq r^{- 1} \cdot \frac{2 γ}{1 - γ} \frac{1}{2} + \frac{1 - 2 γ}{2 \cdot ( 1 - γ )} - r^{- 1} \cdot \frac{2 γ}{1 - γ} \geq \frac{1}{( 1 + d ) \cdot ( 1 - γ )} (1 - γ) \cdot (\frac{1}{2} + \frac{1 - 2 γ}{2 \cdot ( 1 - γ )} - r^{- 1} \cdot \frac{2 γ}{1 - γ}) \geq \frac{1}{1 + d}

There are two cases here. If the left-hand side is smaller than or equal to zero, then the attacker will not make a profit no matter what $d$ is. Otherwise we get

d \geq ((1 - γ) \cdot (\frac{1}{2} + \frac{1 - 2 γ}{2 \cdot ( 1 - γ )} - r^{- 1} \cdot \frac{2 γ}{1 - γ}))^{- 1} - 1

Examples for profitability

Using the above formulas, we arrive at the following table for when the attack will be profitable.

$γ$	$r$	Requirement for $d$
$0.0001$	$1.0$	$d \geq 0.04$	%
$0.0001$	$0.1$	$d \geq 0.22$	%
$0.0001$	$0.01$	$d \geq 2.06$	%
$0.0001$	$0.001$	$d \geq 25.02$	%
$0.001$	$1.0$	$d \geq 0.35$	%
$0.001$	$0.1$	$d \geq 2.20$	%
$0.001$	$0.01$	$d \geq 25.23$	%
$0.001$	$0.001$	Not possible
$0.01$	$1.0$	$d \geq 3.63$	%
$0.01$	$0.1$	$d \geq 27.39$	%
$0.01$	$0.01$	Not possible
$0.01$	$0.001$	Not possible

We can see that, for example, for a reasonable ratio of 1%, and a fee of 0.01% ( $γ = 0.0001$ ), a value of $d \geq 2.06$ % suffices to make the attack profitable.

Code used to generate the profitability table

The following Sage code was used to generate the table above.

def lhs(gamma, r):
  a = 1/2
  b = (1 - 2*gamma) / (2 - 2*gamma)
  c = (r**(-1)) * ((2*gamma) / (1 - gamma))
  inner = a + b - c
  outer = (1 - gamma) * inner
  return outer

def calc(gamma, r):
  return (lhs(gamma, r)**(-1)) - 1

print('| `l!$\gamma$` | `l!$r$` | requirement for `l!$d$` |')
print('| --- | --- | --- |')
for gamma in (0.0001, 0.001, 0.01):
  for r in (1, 0.1, 0.01, 0.001):
    if lhs(gamma, r) <= 0:
      result = 'not possible'
    else:
      result = f'`l!$d \geq {float(calc(gamma, r)*100):.2f}$`%'
    print(f'| `l!${float(gamma)}$` | `l!${float(r)}$` | {result}  |')

Disclaimer

The above estimates are a best effort based on simplifying assumptions (such as ticks being continuous real numbers rather than discrete, tick spacing and position width infinitesimal, etc.), so the numbers obtained may not be precise boundaries that are safe.