Lack of Validation for tickLower and tickUpper in setTickBounds Function Allows Setting Invalid Tick Bounds

[CipherHawk0]

Summary

The absence of comprehensive validation in the setTickBounds function will cause a medium impact on the protocol's liquidity positioning as an attacker with the SETTER_ROLE can set invalid or overlapping tick bounds, leading to inefficient liquidity distribution and potential loss of funds.

Root Cause

in SolidlyV3AMO.sol, the setTickBounds function allows authorized addresses with the SETTER_ROLE to set tickLower and tickUpper without validating their relationship or ensuring they are within acceptable ranges. This omission can result in invalid tick configurations that disrupt the liquidity management strategy.

function setTickBounds(int24 tickLower_, int24 tickUpper_) public override onlyRole(SETTER_ROLE) {
    tickLower = tickLower_;
    tickUpper = tickUpper_;
    emit TickBoundsSet(tickLower, tickUpper);
}

Internal pre-conditions

1-An account with the SETTER_ROLE needs to call setTickBounds to set new tick bounds.
2-The provided tickLower_ and tickUpper_ are arbitrary and not validated against any logical relationship or protocol requirements.

External pre-conditions

1-The pool contract must operate correctly within the specified tick bounds.
2-External factors such as market volatility do not interfere with the tick settings.

Attack Path

1-The attacker, possessing the SETTER_ROLE, calls the setTickBounds function.
2-The attacker provides invalid or overlapping values for tickLower_ and tickUpper_, such as setting tickLower_ higher than tickUpper_ or setting both ticks to the same value.
3-The contract accepts these values due to the lack of validation.
4-The invalid tick bounds disrupt the liquidity positioning within the pool, leading to inefficient liquidity distribution.
5-This misconfiguration can result in loss of funds, reduced liquidity efficiency, and destabilization of the BOOST peg.

Impact

The protocol experiences a medium risk of inefficient liquidity distribution and potential loss of funds due to invalid tick bounds. This can lead to reduced liquidity efficiency, increased slippage, and destabilization of the BOOST peg, affecting user confidence and financial stability.

PoC

// SPDX-License-Identifier: MIT
pragma solidity 0.8.19;

import "./SolidlyV3AMO.sol";

contract TickBoundsAttack {
    SolidlyV3AMO amo;

    constructor(address amoAddress) {
        amo = SolidlyV3AMO(amoAddress);
    }

    function exploit() public {
        // Assume the attacker has SETTER_ROLE
        // Set tickLower_ higher than tickUpper_
        amo.setTickBounds(100, 50);
    }
}

Mitigation

1-Implement Tick Bounds Validation:
Ensure that tickLower_ is less than tickUpper_ and that both ticks are within acceptable ranges.

function setTickBounds(int24 tickLower_, int24 tickUpper_) public override onlyRole(SETTER_ROLE) {
    require(tickLower_ < tickUpper_, "tickLower must be less than tickUpper");
    require(tickLower_ >= MIN_TICK && tickUpper_ <= MAX_TICK, "Tick bounds out of range");
    tickLower = tickLower_;
    tickUpper = tickUpper_;
    emit TickBoundsSet(tickLower, tickUpper);
}

2-Define Acceptable Tick Ranges:
Establish and enforce minimum and maximum tick values to prevent extreme or invalid configurations.
3-Implement Multi-Signature Controls:
Require multiple approvals for setting critical parameters like tick bounds to add an additional layer of security.
4-Regular Audits and Monitoring:
Continuously monitor tick bounds settings to detect and prevent unauthorized or malicious changes promptly.
5-Role Management Best Practices:
Minimize the number of addresses with privileged roles and ensure roles are granted judiciously.