Closed code423n4 closed 1 year ago
0xSorryNotSorry marked the issue as low quality report
we will be switching to chainlink prices. thanks
elmutt marked the issue as sponsor confirmed
Picodes marked the issue as satisfactory
Picodes marked the issue as duplicate of #1125
Lines of code
https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/derivatives/Reth.sol#L228-L242
Vulnerability details
Impact
Reth pool price can be manipulated to cause loss of funds for the protocol and other users
Proof of Concept
Reth
poolPrice
uses the UniV3Pool.slot0 to determine the price of reth/eth, slot0 is the most recent data point and can easily be manipulated. This allows a malicious user to manipulate the valuation of the rETH. An example of this kind of manipulation would be to use large amount of reth to be withdraw.Tools Used
Manual review
Recommended Mitigation Steps
Consider using TWAP oracle instead of reading from slot0