search

code-423n4 / 2023-07-moonwell-findings

1 stars 0 forks source link

`setDirectPrice` is vulnerable to sandwich attack #366

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Oracles/ChainlinkOracle.sol#L115-L138

Vulnerability details

Impact

In ChainlinkOracle.sol we have setDirectPrice():

function setDirectPrice(address asset, uint256 price) external onlyAdmin {
        emit PricePosted(asset, prices[asset], price, price);
        prices[asset] = price;
    }

This function setDirectPrice() allows the admin of the contract to manually set the price of a given asset.

The problem here is when the price is updated an attacker can sandwich the update to gain a profit.

Proof of Concept

A malicious actor can watch the mempool for calls setDirectPrice() and front run the call and take advantage of it and make a profit.

This also applies to the setUnderlyingPrice() function.

Tools Used

Visual Studio Code

Recommended Mitigation Steps

This is very difficult to prevent. Only use these functions as a last resort. It's best not to use these functions and trust the data that comes from Chainlink.

Assessed type

MEV

0xSorryNotSorry commented 1 year ago

This behaviour is not about being a malicious actor but only taking advantage of the end user's spot position. It will not harm the protocol or any other end-users, in addition, this type of TX can be submitted via a private Mempool bundle to prevent such behaviour.

Inflated submission.

c4-pre-sort commented 1 year ago

0xSorryNotSorry marked the issue as low quality report

alcueca commented 1 year ago

The sponsor has already stated that setDirectPrice and setUnderlyingPrice are only to be used as a last resort.

Additionally, chainlink oracles are set to determine the value of collateral posted for borrowing, the warden assumes they are used for swapping assets.

c4-judge commented 1 year ago

alcueca marked the issue as unsatisfactory: Invalid