jeffywu
commented
3 years ago This issue has no real description, at best it is a duplicate of #92 but I don't think this should get any payment.
Closed code423n4 closed 3 years ago
jeffywu
commented
3 years ago This issue has no real description, at best it is a duplicate of #92 but I don't think this should get any payment.
T-Woodward
commented
3 years ago Notional does not use Uniswap oracles, Notional currently uses Chainlink oracles which are the market standard. If Notional DID support illiquid collateral types with little trading volume, or if Notional DID use Uniswap oracles this would be a problem. But Notional doesn’t, and a governance vote would be required in order for any of these bad things to happen.
I agree with Jeff's comment above.
ghoul-sol
commented
3 years ago Insufficient exploit description. Making this invalid.
Handle
tensors
Vulnerability details
Impact
Using oracles is potentially dangerous with low volume, and could lead to arbitrage oppurtunities/loss of user funds as the oracles are a lagging indicator. During times of high volatility they can easily be frontrun.
Proof of Concept
https://github.com/code-423n4/2021-08-notional/blob/main/contracts/internal/valuation/ExchangeRate.sol
Recommended Mitigation Steps
One way to get around this is to add a time-delay and a call back when trading against an oracle, as it is difficult to predict the price in the future. If there is enough volume and the asset is trading in multiple places, this will become less of a problem.