Open c4-bot-6 opened 6 months ago
141345 marked the issue as primary issue
LP Price Manipulation
141345 marked the issue as sufficient quality report
Acknowledged.
0xmDreamy (sponsor) acknowledged
thereksfour marked the issue as satisfactory
thereksfour marked the issue as selected for report
Well found!
Lines of code
https://github.com/code-423n4/2024-03-abracadabra-money/blob/main/src/oracles/aggregators/MagicLpAggregator.sol#L42-L45
Vulnerability details
Impact
Oracle price can be manipulated.
Proof of Concept
MagicLpAggregator uses pool reserves to calculate the price of the pair token,
however reserve values can be manipulated. For example, an attacker can use a flash loan to inflate the pair price, see coded POC below
In this test, a user increased the price of DAI/USDT pair token from 2 USD to 67 USD using DAI Flash Minter.
Tools Used
Foundry, MagicLpAggregator.t.sol
Recommended Mitigation Steps
Consider adding a sanity check, where base and quote token prices are compared with the chainlink price feed
Assessed type
Oracle