Open code423n4 opened 2 years ago
This is not a QA issue but a level 2, and a duplicate of others
Duplicate of https://github.com/code-423n4/2022-06-connext-findings/issues/13
I'm keeping this as QA
because ConnextPriceOracle.sol
is not currently used at all within the codebase.
[L-01] LP spot price used as oracle
getPriceFromDex uses the spot price of a LP to determine token price. Using a single data point from the LP, instead of using a TWAP, makes the price vulnerable to manipulation. https://github.com/code-423n4/2022-06-connext/blob/4dd6149748b635f95460d4c3924c7e3fb6716967/contracts/contracts/core/connext/helpers/ConnextPriceOracle.sol#L99-L115
More advice from samczsun: https://shouldiusespotpriceasmyoracle.com/
Recommended Mitigation Steps
Use a TWAP or similar secure method for a backup price oracle.