search

hats-finance / Convergence-Finance---IBO-0x0e410e7af8e70fc5bffcdbfbdf1673ee7b3d0777

IBO, Vesting & Bond mecanism repo prepared for Hat finance audit competition
0 stars 0 forks source link

CvgV3Aggregator latestPrice can be sandwitched for profit #10

Open hats-bug-reporter[bot] opened 1 year ago

hats-bug-reporter[bot] commented 1 year ago

Github username: @https://github.com/maarcweiss Submission hash (on-chain): 0xae47bc81b865a9a2b7c72ef89eeaf42b3387dddf8b5cd64be6a85f365015987e Severity: high

Description:

TITLE CvgV3Aggregator latestPrice can be sandwitched for profit

Currently the owner is able to feed the CvgV3Aggregator contract with a price. This price is set as the latestPrice variable and can be fetched through latestRoundData() function.


    function setLatestPrice(int256 _newPrice) external onlyOwner {
        latestPrice = _newPrice;
        lastUpdate = block.timestamp;
        emit SetLatestPrice(_newPrice, block.timestamp);
    }

An attacker can leverage this by:

The Owner sends the transaction to update the oracle price, and it gets placed in the mempool. Attacker sees these transaction, and sends himself 2 transactions. The attacker sets the gas to ensure that the first tx gets included before the price update, and the second one after the price update. The executed Transactions in order will be:

SEVERITY

High

A LINK TO THE GITHUB CODE

https://github.com/hats-finance/Convergence-Finance---IBO-0x0e410e7af8e70fc5bffcdbfbdf1673ee7b3d0777/blob/f43c5d9bc6b30c9f488e34836f09dc04d8f7361f/contracts/Oracles/CvgV3Aggregator.sol#L48-L52

maarcweiss commented 1 year ago

As a recommendation, an option would be to pause/unpause any functionality that calls latestRoundData() at the time there is an update

shalbe-cvg commented 1 year ago

Hello, Thanks a lot for your attention.

The price is calculated at the same time as the CVG price found in the LP. Therefore, if the two prices don't match (allowing a percentage delta with deltaCvgAggregator variable) then the bond deposit won't go through.

We have so to consider this issue as Invalid.

maarcweiss commented 1 year ago

Hi @shalbe-cvg . Thanks for the answer. In what sense this issue is different to: https://github.com/sherlock-audit/2023-04-unitasprotocol-judging/issues/67

Sorry, just saw the message and don't remember fully the codebase as it was almost a month ago. Could you please explain it a bit more in-depth why you think it is not valid, thanks :)