Closed c4-bot-8 closed 5 months ago
GalloDaSballo marked the issue as insufficient quality report
WiseLending is using heartbeat checks, min/max value checks, and cross-reference pricing check with TWAP feed
trust1995 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseOracleHub/WiseOracleHub.sol#L69-L83 https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseOracleHub/OracleHelper.sol#L131-L174
Vulnerability details
Summary
Price manipulation is a critical concern for the Wise Lending protocol, as it heavily relies on external price oracles, such as Chainlink, to determine asset prices and calculate borrowing and lending rates. If the oracle data is manipulated or compromised, it can lead to significant exploits and financial losses for the protocol and its users.
Impact
Price manipulation can have severe consequences for the Wise Lending protocol. If an attacker successfully manipulates the price feed data, they can exploit the protocol in various ways:
If the manipulated price feed reports a lower asset price than the true market value, an attacker can borrow assets at an artificially low-interest rate, effectively getting a discounted loan.
Manipulated price feeds can trigger invalid liquidations of borrowers' positions. If the reported price is significantly lower than the real market price, the protocol may incorrectly determine that a borrower's collateral is insufficient, leading to unfair liquidations.
If the price feed reports an inflated asset price, an attacker can use that asset as collateral and borrow more funds than they should be allowed to, based on the true market value of their collateral.
Proof of Concept
The Wise Lending protocol has a heavy reliance on external price oracles without sufficient validation and sanity checks.
WiseOracleHub
contract, thelatestResolver
function returns the latest price data for a given token: WiseOracleHub.sol#latestResolverThe
_validateAnswer
function is responsible for validating the oracle data: OracleHelper.sol#_validateAnswerThe
_validateAnswer
function retrieves the Chainlink price feed data using_getChainlinkAnswer
and performs a min/max check using_compareMinMax
if an aggregator is set for the token.Lack of Comprehensive Validation: The current validation in
_validateAnswer
is insufficient to detect and prevent price manipulation attempts. The min/max check (_compareMinMax
) only ensures that the answer falls within a predefined range, but it does not account for sudden price fluctuations or abnormal deviations from the true market price.Missing Sanity Checks: The code lacks additional sanity checks to verify the reasonableness of the oracle data. For example, there are no checks to compare the reported price with historical prices or to detect significant price changes within a short time frame.
Tools Used
VsCode
Recommended Mitigation Steps
Implement additional validation checks in the
_validateAnswer
function, such as comparing the reported price with historical prices, checking for sudden price deviations, and verifying the price against multiple oracle sources.Implement a delay mechanism for critical actions, such as liquidations or large borrowing requests, to allow time for manual intervention or confirmation in case of suspected price manipulation.
Assessed type
Oracle