In token_rate.update_rate, the function first check if the rate is outdated, then update the price if the rate is outdated., which is incorrect for a token that has rapid change rate.
90 pub fn update_rate(&mut self, current_time: u64) -> bool {
91 if self.is_outdated(current_time) { <<<--- the function first check if the rate is outdated, and then update the rate if so
92 self.update(current_time)
93 } else {
94 false
95 }
96 }
Attack Scenario\
Please consider in a case the tokenA:tokenB = 1:1, at some point, due some reason, tokenA:tokenB = 100:1, because of the check in token_rate.rs#L91 returns false, so the stale price will be used.
Github username: -- Twitter username: -- Submission hash (on-chain): 0xdc37c2af460bbb4924d6cff57b5511047ee7597fca5e42aa8469c205a9d4d63a Severity: medium
Description: Description\
token_rate.update_rate
's implemenation isn't correctly, by abusing the issue, stale price might be used.token_rate.update_rate
is used by lib.update_rates, andlib.update_rates
is used by lib._swap_exact_in, lib._swap_exact_out and other functions, I will take lib._swap_exact_in as an example.self.update_rates
is called in lib.rs#L440rate.update_rate
will be called in lib.rs#L319Attack Scenario\ Please consider in a case the tokenA:tokenB = 1:1, at some point, due some reason, tokenA:tokenB = 100:1, because of the check in token_rate.rs#L91 returns false, so the stale price will be used.
The pool will lost assets.
Attachments