Skip to content
This repository has been archived by the owner on Oct 1, 2023. It is now read-only.

Saeedalipoor01988 - PriceOracle Does Not Filter Price Feed Outliers and triggerDepeg is vulnerable to flash loan attacks #146

Closed
sherlock-admin opened this issue Mar 27, 2023 · 1 comment
Labels
Non-Reward This issue will not receive a payout

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Mar 27, 2023

Saeedalipoor01988

high

PriceOracle Does Not Filter Price Feed Outliers and triggerDepeg is vulnerable to flash loan attacks

Summary

If Chainlink oracle returns a malformed price due to oracle manipulation or a malfunctioned price, anyone can make call to triggerDepeg and Trigger depeg event.

Vulnerability Detail

If for whatever reason the Chainlink oracle returns a malformed price due to oracle manipulation or a malfunctioned price, the result will be passed onto users, causing unintended consequences as a result.

In the same time it's possible to construct mitigation mechanics for such cases, so user economics be affected by sustainable price movements only. As price outrages provide a substantial attack surface for the project it's worth adding some complexity to the implementation.

    AggregatorV3Interface priceFeed = AggregatorV3Interface(
        vaultFactory.tokenToOracle(_token)
    );
    (uint80 roundID, int256 price, , , uint80 answeredInRound) = priceFeed
        .latestRoundData();
    uint256 decimals = priceFeed.decimals();

    if (decimals < 18) {
        decimals = 10**(18 - (decimals));
        price = price * int256(decimals);
    } else if (decimals == 18) {
        price = price;
    } else {
        decimals = 10**((decimals - 18));
        price = price / int256(decimals);
    }

    **if (price <= 0) revert OraclePriceZero();**

    **if (answeredInRound < roundID) revert RoundIDOutdated();**

The above code outlines how prices are utilised , the code just check price is more than zero.

    if (int256(premiumVault.strike()) <= price)
        revert PriceNotAtStrikePrice(price);

And only check for depeg is strike become > price. for example if strike price is 1$, attacker just need to manuplate oracle price in one block and decrease it from 1$ to 0.99 $.

Impact

If Chainlink oracle returns a malformed price due to oracle manipulation or a malfunctioned price "for example flash-loan", anyone can make call to triggerDepeg and Trigger depeg event using price manipulation.

Code Snippet

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Controllers/ControllerPeggedAssetV2.sol#L313
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Controllers/ControllerPeggedAssetV2.sol#L64

Tool used

Manual Review

Recommendation

Consider querying both the Chainlink oracle and Uniswap pool for latest prices, ensuring that these two values are within some upper/lower bounds of each other. It may also be useful to track historic values and ensure that there are no sharp changes in price. However, the first option provides a level of simplicity as UniswapV3's TWAP implementation is incredibly resistant to flash loan attacks. Hence, the main issue to address is a malfunctioning Chainlink oracle.

@github-actions github-actions bot closed this as completed Apr 3, 2023
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Apr 3, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Apr 11, 2023
@hrishibhat
Copy link

Sherlock does not accept issues related to external Oracle price manipulation in general.

@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Reward A payout will be made for this issue labels Apr 28, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Non-Reward This issue will not receive a payout
Projects
None yet
Development

No branches or pull requests

2 participants