This repository has been archived by the owner on Oct 1, 2023. It is now read-only.
Saeedalipoor01988 - PriceOracle Does Not Filter Price Feed Outliers and triggerDepeg is vulnerable to flash loan attacks #146
Labels
Non-Reward
This issue will not receive a payout
Saeedalipoor01988
high
PriceOracle Does Not Filter Price Feed Outliers and triggerDepeg is vulnerable to flash loan attacks
Summary
If Chainlink oracle returns a malformed price due to oracle manipulation or a malfunctioned price, anyone can make call to triggerDepeg and Trigger depeg event.
Vulnerability Detail
If for whatever reason the Chainlink oracle returns a malformed price due to oracle manipulation or a malfunctioned price, the result will be passed onto users, causing unintended consequences as a result.
In the same time it's possible to construct mitigation mechanics for such cases, so user economics be affected by sustainable price movements only. As price outrages provide a substantial attack surface for the project it's worth adding some complexity to the implementation.
The above code outlines how prices are utilised , the code just check price is more than zero.
And only check for depeg is strike become > price. for example if strike price is 1$, attacker just need to manuplate oracle price in one block and decrease it from 1$ to 0.99 $.
Impact
If Chainlink oracle returns a malformed price due to oracle manipulation or a malfunctioned price "for example flash-loan", anyone can make call to triggerDepeg and Trigger depeg event using price manipulation.
Code Snippet
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Controllers/ControllerPeggedAssetV2.sol#L313
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Controllers/ControllerPeggedAssetV2.sol#L64
Tool used
Manual Review
Recommendation
Consider querying both the Chainlink oracle and Uniswap pool for latest prices, ensuring that these two values are within some upper/lower bounds of each other. It may also be useful to track historic values and ensure that there are no sharp changes in price. However, the first option provides a level of simplicity as UniswapV3's TWAP implementation is incredibly resistant to flash loan attacks. Hence, the main issue to address is a malfunctioning Chainlink oracle.
The text was updated successfully, but these errors were encountered: