search

code-423n4 / 2024-02-wise-lending-findings

11 stars 8 forks source link

`_validateAnswer` function inadequate for detecting manipulation attempts. #178

Closed c4-bot-8 closed 5 months ago

c4-bot-8 commented 6 months ago

Lines of code

https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseOracleHub/WiseOracleHub.sol#L69-L83 https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseOracleHub/OracleHelper.sol#L131-L174

Vulnerability details

Summary

Price manipulation is a critical concern for the Wise Lending protocol, as it heavily relies on external price oracles, such as Chainlink, to determine asset prices and calculate borrowing and lending rates. If the oracle data is manipulated or compromised, it can lead to significant exploits and financial losses for the protocol and its users.

Impact

Price manipulation can have severe consequences for the Wise Lending protocol. If an attacker successfully manipulates the price feed data, they can exploit the protocol in various ways:

  1. If the manipulated price feed reports a lower asset price than the true market value, an attacker can borrow assets at an artificially low-interest rate, effectively getting a discounted loan.

  2. Manipulated price feeds can trigger invalid liquidations of borrowers' positions. If the reported price is significantly lower than the real market price, the protocol may incorrectly determine that a borrower's collateral is insufficient, leading to unfair liquidations.

  3. If the price feed reports an inflated asset price, an attacker can use that asset as collateral and borrow more funds than they should be allowed to, based on the true market value of their collateral.

Proof of Concept

The Wise Lending protocol has a heavy reliance on external price oracles without sufficient validation and sanity checks.

  1. Oracle Setup: In the WiseOracleHub contract, the latestResolver function returns the latest price data for a given token: WiseOracleHub.sol#latestResolver
function latestResolver(
    address _tokenAddress
)
    public
    view
    returns (uint256)
{
    if (chainLinkIsDead(_tokenAddress) == true) {
        revert OracleIsDead();
    }

    return _validateAnswer(
        _tokenAddress
    );
}

The _validateAnswer function is responsible for validating the oracle data: OracleHelper.sol#_validateAnswer

function _validateAnswer(
    address _tokenAddress
)
    internal
    view
    returns (uint256)
{
    // ...

    uint256 answer = _getChainlinkAnswer(
        _tokenAddress
    );

    if (tokenAggregatorFromTokenAddress[_tokenAddress] > ZERO_AGGREGATOR) {
        _compareMinMax(
            tokenAggregatorFromTokenAddress[_tokenAddress],
            int192(uint192(answer))
        );
    }

    // ...

    return answer;
}

The _validateAnswer function retrieves the Chainlink price feed data using _getChainlinkAnswer and performs a min/max check using _compareMinMax if an aggregator is set for the token.

  1. Lack of Comprehensive Validation: The current validation in _validateAnswer is insufficient to detect and prevent price manipulation attempts. The min/max check (_compareMinMax) only ensures that the answer falls within a predefined range, but it does not account for sudden price fluctuations or abnormal deviations from the true market price.

  2. Missing Sanity Checks: The code lacks additional sanity checks to verify the reasonableness of the oracle data. For example, there are no checks to compare the reported price with historical prices or to detect significant price changes within a short time frame.

Consider a scenario where an attacker manipulates the Chainlink price feed for a specific token. They exploit a vulnerability in the Oracle system and artificially inflate the reported price by 50%. When a user attempts to borrow using that token as collateral, the Wise Lending protocol relies on the manipulated price feed to calculate the borrowing capacity. As a result, the user can borrow significantly more funds than they should be allowed to, based on the true market value of their collateral. The protocol may not detect this manipulation due to the lack of comprehensive validation and sanity checks.

Tools Used

VsCode

Recommended Mitigation Steps

Implement additional validation checks in the _validateAnswer function, such as comparing the reported price with historical prices, checking for sudden price deviations, and verifying the price against multiple oracle sources.

Implement a delay mechanism for critical actions, such as liquidations or large borrowing requests, to allow time for manual intervention or confirmation in case of suspected price manipulation.

Assessed type

Oracle

c4-pre-sort commented 6 months ago

GalloDaSballo marked the issue as insufficient quality report

vm06007 commented 5 months ago

WiseLending is using heartbeat checks, min/max value checks, and cross-reference pricing check with TWAP feed

c4-judge commented 5 months ago

trust1995 marked the issue as unsatisfactory: Invalid