c4-judge
commented
5 months ago Picodes marked the issue as duplicate of #609
Closed c4-bot-1 closed 5 months ago
c4-judge
commented
5 months ago Picodes marked the issue as duplicate of #609
c4-judge
commented
5 months ago Picodes marked the issue as partial-50
Picodes
commented
5 months ago The report is of low quality and doesn't explain much
c4-judge
commented
5 months ago Picodes marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/price_feed/PriceAggregator.sol#L108-L147
Vulnerability details
Impact
current implementation of price feed will not show precise price and there will be potential oracle price attack
Proof of Concept
Protocol take average price feed from chainLInk,uniswap and salt.chainlink price feed use VWAP-based pricing and uniswap use TWAP-based pricing .Protocol also use reserve pricing .And took average price from these three will not get best price and oracle price attack will be happened.
Tools Used
manual view
Recommended Mitigation Steps
USE chainlink as main cause Chainlink oracle is really great for preventing from the price manipulation but For some depegging events ,integrating on-chain liquidity-based oracle, such as UniV3 TWAP is great choice .By monitoring the price derived from the liquidity-based oracle and comparing it to the Chainlink oracle's price, borrowing activities can be halted if the threshold deviation is breached.
Double oracle set up can prevent from borrowing against a devalued asset and the accumulation of bad debt
Assessed type
Context