search

code-423n4 / 2022-09-y2k-finance-findings

3 stars 1 forks source link

Sensitivity to rapid price change #287

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L96-L99

Vulnerability details

Impact

Sensitivity to rapid price change

Proof of Concept

It is actually not rare for some stablecoins like DAI, MIM, FEI, or even USDT to flash-depeg for a very short amount of time. Currently, the protocol doesn't protect RISK users from such brief events.

It would be better if depeg event could be triggered only if the depeg happened for real. This would require either some form of TWAPing.

Tools Used

Manual review

Recommended Mitigation Steps

We recommend protecting RISK users from flash-depegs by utilizing TWAPing or an oracle that supports TWAP price feeds.

3xHarry commented 1 year ago

Not relevant, as pricefeeds are exclusive chainlink oracles

HickupHH3 commented 1 year ago

Similar to #283 where the issue relates to the choice of oracle.

HickupHH3 commented 1 year ago

README mentions that Chainlink oracles are used. Downgrading to NC.

Warden's primary QA.