search

code-423n4 / 2022-03-rolla-findings

1 stars 1 forks source link

Settlement price can be manipulated at relatively low cost #24

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-03-rolla/blob/a06418c9cc847395f3699bdf684a9ac066651ed7/quant-protocol/contracts/pricing/oracle/ChainlinkOracleManager.sol#L200

Vulnerability details

Impact

Quant protocol use a single snapshot at option expiry time to determine the settlement price, which is subject to price manipulation. Attacker can manipulate the price source of the chainlink oracle at relatively low cost because only 1 snapshot is considered.

Proof of Concept

https://github.com/code-423n4/2022-03-rolla/blob/a06418c9cc847395f3699bdf684a9ac066651ed7/quant-protocol/contracts/pricing/oracle/ChainlinkOracleManager.sol#L200

Recommended Mitigation Steps

Use twap to defend against such attack.

quantizations commented 2 years ago

Usually chainlink only makes oracles for coins that have 5 or more markets - we spoke to them directly and this is what they told us. Furthermore there are certain liquidity checks by chainlink to avoid this issue. It would require a significant amount of funds to manipulate the oracles. There are multiple other DOVs in the wild using chainlink.

alcueca commented 2 years ago

Dispute accepted.