Open code423n4 opened 1 year ago
141345 marked the issue as duplicate of #278
141345 marked the issue as not a duplicate
141345 marked the issue as primary issue
publiuss marked the issue as sponsor confirmed
alcueca marked the issue as selected for report
This issue has been fixed by updating the Pumps in shift(...)
and sync(...)
:
Lines of code
https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/Well.sol#L352-L377 https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/Well.sol#L590-L598
Vulnerability details
Vulnerability details
The
Wall
contract mandates that thePumps
should be updated with the previous block'sreserves
in casereserves
are changed in the current block to reflect the price change accurately.However, this doesn't happen in the
shift()
andsync()
functions, providing an opportunity for any user to manipulate thereserves
in the current block before updating thePumps
with new manipulatedreserves
values.Impact
The
Pumps
(oracles) can be manipulated. This can affect any contract/protocol that utilizesPumps
as on-chain oracles.Proof of Concept
shift()
operation to updatereserve
s to desired amounts in the current block, thereby overriding thereserves
from the previous block.swapFrom()/swapTo()
operations to extract back the funds used in theshift()
function. As a result, the attacker is not affected by any arbitration as poolreserves
revert back to the original state.swapFrom()/swapTo()
operations trigger thePumps
update with invalidreserves
, resulting in oracle manipulation.Note: The
sync()
function can also manipulatereserves
in the current block, but it's less useful thanshift()
from an attacker's perspective.PoC Tests
This test illustrates how to use
shift()
to manipulatePumps
data.Create
test/pumps/Pump.Manipulation.t.sol
and runforge test --match-test manipulatePump
.Tools Used
Manual review, Foundry
Recommended Mitigation Steps
Update
Pumps
in theshift()
andsync()
function.Assessed type
Oracle