talegift
commented
3 years ago We'll only support tokens that have sufficient liquidity on UniV3 in an ETH pair.
Open code423n4 opened 3 years ago
talegift
commented
3 years ago We'll only support tokens that have sufficient liquidity on UniV3 in an ETH pair.
Handle
cmichel
Vulnerability details
The
UniswapV3Oracle.tokenPricefunction gets the price by combining the chainlink ETH price with the TWAP prices of thetoken <> pairTokenandpairToken <> WETHpools. It is therefore required that thepairToken <> WETHpool exists and has sufficient liquidity to be tamper-proof.Impact
When listing lending pairs for tokens that have a WETH pair with low liquidity (at 0.3% fees) the prices can be easily manipulated leading to liquidations or underpriced borrows. This can happen for tokens that don't use
WETHas their default trading pair, for example, if they prefer a stablecoin, orWBTC.Recommendation
Ensure there's enough liquidity on the
pairToken <> WETHUniswap V3 0.3% pair, either manually or programmatically.