Open c4-bot-9 opened 3 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as primary issue
This is meant more for black swan scenario where the delta is set at 50%. In practice, price diff between order price and oracle > chainlink threshold is capped at 0.5%.
The impact is low after paying a 0.3% flashswap fee. QA is appropriate.
hansfriese changed the severity to QA (Quality Assurance)
hansfriese marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/libraries/LibOracle.sol#L102-L106
Vulnerability details
Impact
When the price of a token changes significantly, if the TWAP is intentionally not used, an attacker can benefit from the price difference.
Proof of Concept
In
LibOracle.baseOracleCircuitBreaker
, if the cached price and the newly retrieved price from Chainlink are significantly different, the UniswapV3 TWAP oracle is used. If the WETH balance in the Uniswap pool is less than 100 ether, the TWAP is not used, and the price from Chainlink is used instead.Attackers can manipulate the balance of the Uniswap pool using Uniswap's flashswap feature. In other words, attackers can intentionally disable TWAP.
The Chainlink oracle updates slower than DEX. When the price of a token changes significantly, if the TWAP is intentionally not used, an attacker can benefit from the price difference.
Tools Used
Manual Review
Recommended Mitigation Steps
Check UniswapV3 flashswap in this way.
Assessed type
Oracle