talegift
commented
3 years ago This is a known & documented risk: https://wild-credit.gitbook.io/wild-credit/advanced-concepts/price-oracles
Open code423n4 opened 3 years ago
talegift
commented
3 years ago This is a known & documented risk: https://wild-credit.gitbook.io/wild-credit/advanced-concepts/price-oracles
Handle
cmichel
Vulnerability details
The
UniswapV3Oracle.tokenPricefunction gets the price by combining the chainlink ETH price with the TWAP prices of thetoken <> pairTokenandpairToken <> WETHpools. It is therefore required that thepairToken <> WETHpool exists and has sufficient liquidity to be tamper-proof.Impact
When listing lending pairs for tokens that have a WETH pair with low liquidity (at 0.3% fees) the prices can be easily manipulated leading to liquidations or underpriced borrows. This can happen for tokens that don't use
WETHas their default trading pair, for example, if they prefer a stablecoin, orWBTC.Recommendation
Ensure there's enough liquidity on the
pairToken <> WETHUniswap V3 0.3% pair, either manually or programmatically.