Closed code423n4 closed 11 months ago
Over inflated severity
bytes032 marked the issue as low quality report
GalloDaSballo marked the issue as unsatisfactory: Invalid
The entire point of the oracle is protect against attacks, reverting is intended
Lines of code
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L544-L549
Vulnerability details
Impact
calculating slippage using oracle prices will lead to inaccurate slippage values , due to this swaps will fail or execute with higher slippage.
Proof of Concept
In
_curveSwap
function ofRdpxV2Core
contract slippage is being calculated using oracles prices. But oracles like chainlink don't reflect the prices of AMM's like Curve or Uniswap immediately. There will be some delay.So oracles prices will always deviate a bit from on-chain AMM exchange rates , so executing swaps with on-chain calculated slippage will sometimes lead to higher slippage and loss of funds.
Sponsor is also mentioned this
we will be running our own oracles to start with but we are working with chainlink to get pricefeeds and will shift to that once its done.
So chances of prices being deviated from actual AMM exchange rates is higher in this case.
Tools Used
Recommended Mitigation Steps
slippage calculated off-chain should used always instead of calculating it on-chain.
Assessed type
Oracle