Using a Uniswap V3 LP pricing formula vulnerable to price manipulation attacks /5821

[VincentLegendLee]

Identified By:

• Themis Team
• Immunefi

  Scorp:

  Users can provide their Uniswap V3 LP positions as collateral when borrowing assets from the system. However, due to the use of vulnerable LP pricing formula, an attacker can drain all the funds in the pools by providing collateral much less than he should (thus leaving his position underwater).

  Scenario & POC(Proof of Concept)

  If we trace into the code, we will notice that the spot price of a Uniswap pool is used to evaluate the value of LP tokens (see below). However, using spot price from a Uniswap pool is vulnerable to price manipulation attacks, where the attacker can intentionally pump the value of his LP tokens:

  1. An attacker creates a USDC-LINK pool with a fee tier of 100 bps. Notice that this pool does not exist, so the attacker creates a new one.
  2. He adds 1K USDC and 1 LINK token to the pool. At this point, the LINK's spot price is 1K USDC.
  3. He pumps LINK's spot price by swapping 100K USDC into the pool.
  4. As a result, the value that he can borrow from the system increases by 1084x! (see the two getTWAPQuoteNft values in the given PoC code).
  5. He provides the Uniswap V3 LP token as collateral to drain all USDT in the system's USDT pool, which is 30K at the time of writing. If the pool had more USDT tokens, say 1000K, the attacker can drain them all since the price is pumped to 1000x.
  6. He performs the reverse actions of Step 3 and Step 2 to get back his USDC and LINK and prevent being arbitrage by others.

Correction: In step 6. of the attack, the attack only does the reverse action of Step 3. (i.e., recover the pool to the normal state). He can't reverse Step 2 because his Uniswap V3 LP is given to the system as collateral. Notice that the attack can do all the above steps in separate transactions yet consecutively with the assistance of flashbot. This prevents him from being arbitraged during the attack, which almost, if not always, guarantee he can succeed. The attacker chooses to create a new pool instead of manipulating the existing ones because, with less liquidity in the pool, he can easily imbalance the portion of the token with less capital. Besides, the system accepts all LP tokens from all fee tier pools, as long as the underlying tokens are allowlisted (see checkNftV3WhiteList in the ThemisBorrowCompound contract).

Usage of the spot price:

1. The v3NFTBorrow of ThemisBorrowCompound allows users to borrow assets by collateralizing a Uniswap V3 LP token.
2. uniswapV3Oracle.getTWAPQuoteNft is called to know how many borrowed tokens this Uniswap V3 LP is worth (line 276).
3. In the getTWAPQuoteNft function, _calNftUsdValue is to get the LP token's value in USD (line 89).
4. In_calNftUsdValue, _getNFTAmounts is called to first get the amount0and amount1 in the LP token (line 81).
5. The vulnerability lies in the _getNFTAmounts function. The_poolTick variable fetched from slot0 represents the spot price, which is, however, used to calculate amount0, amount1 (line 162, 166).

   Impact

   An attacker can drain the assets in the system's pools by under-collateralizing his Uniswap V3 LP tokens and manipulating the underlying Uniswap pool.

[VincentLegendLee]

Evaluaton Results

Evaluated by:

• Vincent
• Themis Team
• Pecksheild

  Risk Breakdown

  Difficulty to Exploit: Easy Weakness: No check for Uniswap V3 fee tier CVSS2 Score: 8.8

  Recommendation

• Add fees tier check as well while validating nft against which borrowing is happening
• Avoid using the spot price of a Uniswap V3 pool. Instead, use TWAP from the Uniswap pool to derive the amounts of the underlying tokens of an LP token.

[VincentLegendLee]

FIXED

• Add fees tier check as well while validating nft against which borrowing is happening

  Whitelist Check

  <html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">

Token 0 | Token 1 | Factory | Tier -- | -- | -- | -- USDC | WETH | 0x88e6A0c2dDD26FEEb64F039a2c41296FcB3f5640 | 500 USDC | WETH | 0x8ad599c3A0ff1De082011EFDDc58f1908eb6e6D8 | 3000 USDC | WETH | 0x7BeA39867e4169DBe237d55C8242a8f2fcDcc387 | 10000 USDC | USDT | 0x3416cF6C708Da44DB2624D63ea0AAef7113527C6 | 100 USDC | USDT | 0x7858E59e0C01EA06Df3aF3D20aC7B0003275D4Bf | 500 USDC | FRAX | 0xc63B0708E2F7e69CB8A1df0e1389A98C35A76D52 | 500 USDC | FEI | 0x8c54aA2A32a779e6f6fBea568aD85a19E0109C26 | 500 WETH | USDT | 0x11b815efB8f581194ae79006d24E0d814B7697F6 | 500 WETH | USDT | 0x4e68Ccd3E89f51C3074ca5072bbAC773960dFa36 | 3000 WETH | UST(wormhole) | 0x7a5ae802895D5f90b6EdbaFC870FD348Fba2A3d2 | 3000 WETH | UNI | 0x1d42064Fc4Beb5F8aAF85F4617AE8b3b5B8Bd801 | 3000 WETH | LINK | 0xa6Cc3C2531FdaA6Ae1A3CA84c2855806728693e8 | 3000 USDT | FRAX | 0xc2A856c3afF2110c1171B8f942256d40E980C726 | 500 USDT | MIM | 0xe6E14be906c1F1b438DA2010B38bECa14b387231 | 500 PAX | WETH | 0xD83D78108DD0d1dfffF11EA3F99871671a52488b | 3000 PAX | DAI | 0xB65fC555B0E970B16329a48e45cfa14Fce9A36a4 | 100 DAI | USDC | 0x5777d92f208679DB4b9778590Fa3CAB3aC9e2168 | 100 DAI | USDC | 0x6c6Bc977E13Df9b0de53b251522280BB72383700 | 500 DAI | USDT | 0x6f48ECa74B38d2936B02ab603FF4e36A6C0E3A77 | 500 DAI | WETH | 0x60594a405d53811d3BC4766596EFD80fd545A270 | 500 DAI | WETH | 0xC2e9F25Be6257c210d7Adf0D4Cd6E3E881ba25f8 | 3000 DAI | FEI | 0xbB2e5C2FF298FD96E166f90c8ABAcAF714Df14F8 | 500 WBTC | USDC | 0x99ac8cA7087fA4A2A1FB6357269965A2014ABc35 | 3000 WBTC | USDT | 0x9Db9e0e53058C89e5B94e29621a205198648425B | 3000 WBTC | WETH | 0x4585FE77225b41b697C938B018E2Ac67Ac5a20c0 | 500 WBTC | WETH | 0xCBCdF9626bC03E24f779434178A73a0B4bad62eD | 3000

Date：Feb·25th, 2022