Lodster Finance uses the SushiOracle.sol contract to get LODE Token prices. However, since that contract uses a spot price derived from the current pool balances, it is vulnerable to price oracle manipulation.
Anyone can perform a large swap to trick Lodster into using the manipulated price. They can then execute actions on Lodster Finance and reverse the swap.
If LODE is used as collateral, one can inflate the price and borrow other tokens.
If LODE is considered a debt token, one can deflate the price and borrow more LODE tokens.
This is a well-known attack that has happened many times before.
Consider the case of manipulating price higher.
Note that a liquidity pool's balances do not matter; even with high balances, using flashloans, one can cheaply execute this attack and profit.
1. Swap 4,000 USDC for LODE, Attacker gets 8,000 LODE
Now the Sushi Pool is (2,000 LODE: 5,000 USDC)as per xy = k
1 Lode equals 2.5 USDC
2. Borrow against overvalued LODE
Since LODE is overvalued, the attacker can borrow more than the protocol intended.
3. Swap 8,000 LODE received from Step 1 for USDC; Attacker gets their 4,000 USDC back
Sushi Pool (10,000 LODE: 1,000 USDC) as per xy = k
Using multicall, one can guarantee the execution of all of the above 3 steps in 1 transaction.
Also please note deflating LODE's price is also possible; the initial swap just needs to be for USDC instead.
Recommendation
Consider using TWAP instead of SPOT price from Sushi Swap pools.
Subject421
commented
1 year ago 
Title
One can manipulate the price fetched through the SushiOracle and steal funds
Affected smart contract
SushiOracle.sol
https://github.com/LodestarFinance/lodestar-protocol/blob/cfca1ae275d023a02198798bbcb24b2a1f646776/contracts/Oracle/SushiOracle.sol#L35
Description
Lodster Finance uses the
SushiOracle.solcontract to get LODE Token prices. However, since that contract uses a spot price derived from the current pool balances, it is vulnerable to price oracle manipulation.Anyone can perform a large swap to trick
Lodsterinto using the manipulated price. They can then execute actions on Lodster Finance and reverse the swap. IfLODEis used as collateral, one can inflate the price and borrow other tokens. IfLODEis considered a debt token, one can deflate the price and borrow moreLODEtokens.This is a well-known attack that has happened many times before.
Resources
Check the section
Use flash loans to manipulate the price of AMMfrom this article https://medium.com/beaver-smartcontract-security/defi-security-lecture-7-price-oracle-manipulation-d716cdeaaf77 OR Checkout this Consensys Article, it gives example of attack happened on UniswapV3, but same vector for spot price manipulation is applicable for UniswapV2/Sushi as well. https://consensys.github.io/smart-contract-best-practices/attacks/oracle-manipulation/Attack scenario
Sushi Pool (10,000 LODE : 1,000 USDC)1 Lode equals 0.10 USDC
Consider the case of manipulating price higher. Note that a liquidity pool's balances do not matter; even with high balances, using flashloans, one can cheaply execute this attack and profit.
1. Swap 4,000 USDC for LODE, Attacker gets 8,000 LODE Now the Sushi Pool is
(2,000 LODE: 5,000 USDC)as perxy = k1 Lode equals 2.5 USDC2. Borrow against overvalued LODE Since LODE is overvalued, the attacker can borrow more than the protocol intended.
3. Swap 8,000 LODE received from Step 1 for USDC; Attacker gets their 4,000 USDC back Sushi Pool
(10,000 LODE: 1,000 USDC)as perxy = kUsing multicall, one can guarantee the execution of all of the above 3 steps in 1 transaction. Also please note deflating LODE's price is also possible; the initial swap just needs to be for USDC instead.
Recommendation
Consider using
TWAPinstead of SPOT price from Sushi Swap pools.