Closed code423n4 closed 2 years ago
Duplicate of #13
Agree this is an issue, however this is not used within the core protocol (no oracles in the core bridging flow), so I would disagree with the severity.
This contract is not being actively used in the codebase. I'm downgrading this to QA
because it may be integrated in the future.
Merging with #203.
Lines of code
https://github.com/code-423n4/2022-06-connext/blob/b4532655071566b33c41eac46e75be29b4a381ed/contracts/contracts/core/connext/helpers/ConnextPriceOracle.sol#L99-L115
Vulnerability details
This is a very well known wrong implementation of price oracle based on Uniswap v2.
Both
token0.balanceOf(pair)
andtoken1.balanceOf(pair)
can be easily manipulated almost for free, by sending tokens to the pair, call the oracle to update the price and then callpair.skim()
to clawback the funds used for manipulation.Recommendation
See: https://blog.alphaventuredao.io/fair-lp-token-pricing/
And https://github.com/Uniswap/v2-periphery/blob/master/contracts/examples/ExampleOracleSimple.sol