Open code423n4 opened 2 years ago
We currently have a mean shorting function that pulls multiple price feeds so that if one is stale it gets rejected.
Seems like the warden has shown a specific scenario, contingent on external conditions.
However, from the code, there seems to be no "mean shorting function", at least in the code in scope
Agreed with @GalloDaSballo , oracle staleness is still an issue in this version of the code.
Lines of code
https://github.com/code-423n4/2022-02-anchor/blob/7af353e3234837979a19ddc8093dc9ad3c63ab6b/contracts/money-market-contracts/contracts/oracle/src/contract.rs#L106-L113
Vulnerability details
https://github.com/code-423n4/2022-02-anchor/blob/7af353e3234837979a19ddc8093dc9ad3c63ab6b/contracts/money-market-contracts/contracts/oracle/src/contract.rs#L106-L113
The implementation only takes two attributes:
asset
andprice
. And thelast_updated_time
of the record will always be set to the currentblock.time
.This makes it possible for the price feeds to be disrupted when the network is congested, or the endpoint is down for a while, or the
feeder
bot handled the message queue inappropriately, as a result, the transactions with stale prices get accepted as fresh prices.Since the price feeds are essential to the protocol, that can result in users' positions being liquidated wrongfully and case fund loss to users.
PoC
Given:
feeder
i connected to an endpoint currently experiencing degraded performance;$10,000
;max_ltv
ratio of ETH is60%
.5,000 USDC
with1 ETH
as collateral;$9,000
, to avoid liquidation, Alice repaid1,000 USD
;$8,000
;feeder
tries toupdateMainFeedData()
with the latest price:$8,000
, however, since the network is congested, the transactions were not get packed timely;$10,000
; Alice borrowed another1,000 USDC
;feeder
at step 3 finally got packed, the protocol now believes the price of ETH has suddenly dropped to$8,000
, as a result, Alice's position got liquidated.Recommendation
Change to: