Malicious Price Bound
Although the Liquidity Provider is assumed to have complete control over LP funds, this section aims to describe a possible attack vector that Liquidity Provider contracts should be aware of.
In the absence of a timelock or checks against spot price manipulation, the liquidity provider contract could do the following things:
Manipulate the spot price of the pool by swapping a significant amount in 1 direction.
Set the price bounds very tightly around this manipulated spot price.
Swap back in the other direction.
Using this sequence of events atomically, the liquidity provider can buy the pool's tokens at a significant discount.
To mitigate this attack, it is enforced onchain that the spot price has to be within the allowed deviation to the oracle price when the setPriceBounds
function is called. It is also recommended that Liquidity Provider adds extra security checks, such as restricted access management to setPriceBounds
Last updated