hats-finance / Convergence-Finance---IBO-0x0e410e7af8e70fc5bffcdbfbdf1673ee7b3d0777

IBO, Vesting & Bond mecanism repo prepared for Hat finance audit competition
0 stars 0 forks source link

Curve oracle does not work for all curve pools, especially curve V1 pool #35

Open hats-bug-reporter[bot] opened 1 year ago

hats-bug-reporter[bot] commented 1 year ago

Github username: @JeffCX Submission hash (on-chain): 0x1eb12174f6bf021ee077598aab939ae3beddf917c9ef2982468a3a7ed349eb12 Severity: medium

Description: Description\

Curve oracle does not work for all curve pools

Attack Scenario\

In the current implementation, the oracle use the curve oracle last_prices directedly

    function _getCrvPoolPrice(
        address crvPool,
        bool isReversed,
        bool isEthPriceRelated
    ) internal view returns (uint256, bool) {
        return _postTreatmentAndVerifyEth(ICrvPool(crvPool).last_prices(), isReversed, isEthPriceRelated);
    }

    /**
     *  @notice Compute the Time Weighted Average Price in wei
     *  @param crvPool Address of the Curve Pool
     *  @param k token index
     */
    function _getCrvPoolTricrypto(address crvPool, uint256 k) internal view returns (uint256, bool) {
        return _postTreatmentAndVerifyEth(ICrvPool(crvPool).last_prices(k), false, false);
    }

However, for old version of curve V1, there is no such view function exposed called last_price

https://resources.curve.fi/factory-pools/understanding-oracles/#v1-pools

Newer v1 Pools also contain a price oracle function, which also displays a moving average of recent prices. If the moving average price was written to the contract in the same block it will return this value, otherwise it will calculate on the fly any changes to the moving average since it was last written.

Curve v1 pools do not have a concept of price scale, so no endpoint exists for retreiving this value. Older v1 pools will also not have a price oracle, so use caution if you are attempting to retrieve this value on-chain.

In fact, if we look at a few V1 curve pool that has a large amount of liquidity, there is no last_price view function exposed

https://curve.readthedocs.io/ref-addresses.html

for example

https://etherscan.io/address/0xbebc44782c7db0a1a60cb6fe97d0b483032ff1c7#readContract

or

https://etherscan.io/address/0xF9440930043eb3997fc70e1339dBb11F341de7A8#readContract

there is no last_price function exposed

Attachments

  1. Proof of Concept (PoC) File

if the underlying curve pool does not support the last_price function called, the oracle leads to directly revert

  1. Revised Code File (Optional)

Consider Use Uniswap V3 TWAP oracle instead

walk-on-me commented 1 year ago

Hello, Thanks a lot for your attention.

Pools you are showing as example are Stable Pool, it's normal that they don't have any price as the other. We are not targetting stable pools in our Oracle We have so to consider this issue as Invalid