search

code-423n4 / 2022-06-connext-findings

1 stars 0 forks source link

Price fetched from Dex can be manipulated #219

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-connext/blob/b4532655071566b33c41eac46e75be29b4a381ed/contracts/contracts/core/connext/helpers/ConnextPriceOracle.sol#L109

Vulnerability details

Impact

Price fetched from Dex can be manipulated, since it depend upon balance of token in a contract which can be manipulated by the flashloan

Proof of Concept

https://github.com/code-423n4/2022-06-connext/blob/b4532655071566b33c41eac46e75be29b4a381ed/contracts/contracts/core/connext/helpers/ConnextPriceOracle.sol#L109

Tools Used

manual reveiw

Recommended Mitigation Steps

use Chainlink Price Feeds which uses Volume-Weighted Average Price (VWAP) based on data from aggregators

LayneHaber commented 2 years ago

Duplicate of #206 , #13

0xleastwood commented 2 years ago

This contract is not being actively used in the codebase. I'm downgrading this to QA because it may be integrated in the future.

0xleastwood commented 2 years ago

Merging with #238.