c4-pre-sort
commented
1 year ago 0xSorryNotSorry marked the issue as low quality report
Closed code423n4 closed 1 year ago
c4-pre-sort
commented
1 year ago 0xSorryNotSorry marked the issue as low quality report
elmutt
commented
1 year ago we will be switching to chainlink prices. thanks
c4-sponsor
commented
1 year ago elmutt marked the issue as sponsor confirmed
c4-judge
commented
1 year ago Picodes marked the issue as satisfactory
c4-judge
commented
1 year ago Picodes marked the issue as duplicate of #1125
Lines of code
https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/derivatives/Reth.sol#L228-L242
Vulnerability details
Impact
Reth pool price can be manipulated to cause loss of funds for the protocol and other users
Proof of Concept
Reth
poolPriceuses the UniV3Pool.slot0 to determine the price of reth/eth, slot0 is the most recent data point and can easily be manipulated. This allows a malicious user to manipulate the valuation of the rETH. An example of this kind of manipulation would be to use large amount of reth to be withdraw.Tools Used
Manual review
Recommended Mitigation Steps
Consider using TWAP oracle instead of reading from slot0