c4-bot-10 commented 8 months ago

Lines of code

https://github.com/code-423n4/2024-03-revert-lend/blob/457230945a49878eefdc1001796b10638c1e7584/src/V3Oracle.sol#L143-L145

Vulnerability details

Impact

Asymmetric calculation of price difference

Proof of Concept

Price difference is calculated in 2 ways depending on whether price > verified price or not.

If price > verified price, this is the equation.

(price - verified price) / price

Otherwise price is calculated with this equation

(verified price - price) / verified price

When the 2 equations above are graphed with price = horizontal axis, we get 2 different curves.

https://www.desmos.com/calculator/nixha3ojz6

The first equation produces a asymptotic curve. (shown in red) The second equation produces a linear curve. (shown in green) Therefore the rate at which the price difference changes is different depending on whether price > verified price or not.

Example

Price difference of +1 or -1 from verified price are not symmetric

# p < v
v = 2
p = 1
d = (v - p) / v
print(d)
# output is 0.5

# p > v
v = 2
p = 3
d = (p - v) / p
print(d)
# output is 0.33333

Tools Used

Manual review, desmos graphing calculator and python

Recommended Mitigation Steps

Use a different equation to check price difference (shown in blue)

|price - verified price| / verified price <= max difference

Assuming verifyPriceX96 > 0

        uint256 diff = priceX96 >= verifyPriceX96
            ? (priceX96 - verifyPriceX96) * 10000
            : (verifyPriceX96 - priceX96) * 10000;

        require(diff / verifyPriceX96 <= maxDifferenceX1000)