Closed c4-bot-7 closed 6 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as primary issue
It's protocol's intended design with no actual threat entailed other than the one hypothetically described. QA at best.
raymondfam marked the issue as insufficient quality report
hansfriese changed the severity to QA (Quality Assurance)
hansfriese marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/libraries/LibOracle.sol#L87
Vulnerability details
Impact
TWAP oracles are designed to be more resistant to price manipulation,but they are not immune . Hardcoding twap interval or making it immutable makes it easy to manipulate. Although the check for minimum liquidity pool amount makes it harder for a attacker to manipulate it , but there is still a chance to manipulate it since the time interval is just 30 mins there is still a slight chance that the price can be manipulated by some amount.So the attacker will need to use their capital to inflate the price a flashloan wouldn't work here.[since it is a time-weighted oracle, so time(blocks) must first pass before the desired price is incorporated]
Let's say a asset has price of $100.
A 5% decrease in the market price of the asset ($100) means the price needs to move to $95.
For each block, to achieve this 5% movement, traders would execute transactions that push the price towards $95.
The cost incurred in each block due to arbitrage and fees is constant. Let’s assume it's $500 per block.
Therefore, for 30 blocks (30 min), the total cost would be 30 blocks * $500/block = $15,000.
[NOTE:
Although it is a huge cost for a arbitrager but it still might be profitable for him through the callerfee liquidation . and also they can place arbitrary large orders at arbitrary large or small price points => do this continuosly to influence TWAP & use the manipulated twap for profit
Proof of Concept
Although the the protocol has done several checks for stopping price manipulation, but if the relation
(chainlinkDiff <= twapDiff)
is false the function returns the twap price (where also a further check is done for small liquidty pool, this additional check also makes it hard to manipulate the price)But let's just say an attacker (a shorter on the protocol) wants to liquidate some shorter, they can just inflate the prices maybe by some percent which makes the shorter undercollateralize and the attacker can liquidate him and recieve the caller fee. Another instance is that a bidder may also have to provide more collateral on his buying than the required amount .
Tools Used
Manual Review
Recommended Mitigation Steps
Make a variable called
twapseconds
inLibOracle.sol
uint private twapseconds = 30 minutes
and then change this lineAlso add a function for changing the
twap
duration[NOTE:
[ NOTE:
Assessed type
Oracle