Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-06-connext/blob/b4532655071566b33c41eac46e75be29b4a381ed/contracts/contracts/core/connext/helpers/ConnextPriceOracle.sol#L109
Price fetched from Dex can be manipulated, since it depend upon balance of token in a contract which can be manipulated by the flashloan
manual reveiw
use Chainlink Price Feeds which uses Volume-Weighted Average Price (VWAP) based on data from aggregators
Duplicate of #206 , #13
This contract is not being actively used in the codebase. I'm downgrading this to QA because it may be integrated in the future.
QA
Merging with #238.
Lines of code
https://github.com/code-423n4/2022-06-connext/blob/b4532655071566b33c41eac46e75be29b4a381ed/contracts/contracts/core/connext/helpers/ConnextPriceOracle.sol#L109
Vulnerability details
Impact
Price fetched from Dex can be manipulated, since it depend upon balance of token in a contract which can be manipulated by the flashloan
Proof of Concept
https://github.com/code-423n4/2022-06-connext/blob/b4532655071566b33c41eac46e75be29b4a381ed/contracts/contracts/core/connext/helpers/ConnextPriceOracle.sol#L109
Tools Used
manual reveiw
Recommended Mitigation Steps
use Chainlink Price Feeds which uses Volume-Weighted Average Price (VWAP) based on data from aggregators