Closed c4-bot-3 closed 5 months ago
Picodes marked the issue as primary issue
othernet-global (sponsor) disputed
Collateral value is determined by the PriceAggregator which uses Chainlink, Uniswap TWAP and Salty reserves.
Manipulation of simply the Salty reserves is insufficient to effect collateral value as the other two prices will then be used.
Picodes marked the issue as duplicate of #222
Picodes marked the issue as satisfactory
Picodes marked the issue as not a duplicate
Collateral value is determined by the PriceAggregator which uses Chainlink, Uniswap TWAP and Salty reserves.
Manipulation of simply the Salty reserves is insufficient to effect collateral value as the other two prices will then be used.
This report isn't about manipulating PriceAggregator
but the pool's reserves. Essentially it is #222 but to trigger liquidations
Picodes marked the issue as duplicate of #222
Picodes changed the severity to 2 (Med Risk)
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/main/src/stable/CollateralAndLiquidity.sol#L145 https://github.com/code-423n4/2024-01-salty/blob/main/src/stable/CollateralAndLiquidity.sol#L304 https://github.com/code-423n4/2024-01-salty/blob/main/src/stable/CollateralAndLiquidity.sol#L230-L235
Vulnerability details
Vulnerability details
userCollateralValueInUSD
, which is called bycanUserBeLiquidated
, uses the WETH/WBTC pool reserves to calculate how much worth of WBTC and WETH are liquidated user's shares. Then these numbers are used to calculate theunderlyingTokenValueInUSD
. But depending on WBTC and WETH price, this can change the USD value of its shares, making him liquidable or not.By swapping into the pool, the attacker can change the reserves ratio of WBTC and WETH to put users in a liquidation position to get the liquidation reward, then set back the pool to its previous state and keep the profit.
https://github.com/code-423n4/2024-01-salty/blob/main/src/stable/CollateralAndLiquidity.sol#L230-L235
Impact
A malicious user can manipulate the WBTC/WETH reserves ratio by swapping and use this to liquidate users.
Proof of Concept
Assessed type
Oracle