Evert0x
commented
3 years ago This contract is designed to not depend on any external contracts (oracles..). The calling contract (onlyGovMain) will likely use oracles to execute the call with the right price.
ghoul-sol
Handle
tensors
Vulnerability details
Impact
The Manager.sol file contains many methods to let Watsons manually set the token price. This should never be done, and gives free incentives for malicious users to
arbitrageprice discrepancies from the pool.Proof of Concept
In general, these price discrepancies shouldn't be taken lightly. Although I'm not sure of the specifics of how to profit from it in this case. Maybe something like this:
Suppose the price of a token A is set to $10 by the Watson's. The next day it the price of the token on DEXs increases to $20. This puts a strong incentive on malicious actors to get access to underpriced token A on SherX, stealing profits from the pool.
I could be misunderstanding something about SherX pool mechanics, but manually setting token price is a bad idea.
Recommended Mitigation Steps
A pricefeed should be used. Either something like chainlink oracles or if that can't be found for the token then uniswap TWAP oracles for the token.