UniV3 price calculation susceptible to flashloan exploits

[hats-bug-reporter[bot]]

Github username: @chewonithard Submission hash (on-chain): 0xc3e0f72825f3d60af6d3429352006df4d4e0bfcb16266dc8babd1433d8eff745 Severity: high

Description: Description\ CvgOracle.sol uses UniV3 slot0 price (if twapInterval ==0) which is instantaneous price not TWAP and can be manipulated with flash loans.

In scripts throughout the repo like _deployIbo.js,deployOracle.js, team sets twapInterval = 0 which further demonstrates the likelihood of this occuring.

Attack Scenario\ Any user can take a flashloan, manipulate the price of e.g. CRV to drive price down, and purchase bonds from Ibo.sol at a bigger discount than intended.

Mitigated by _getAndVerifyOracleAndAggregatorPrices which verifies price against Chainlink, but this is dependent on threshold inoracleParams.deltaAggregatorCvgOracle which the team sets at 10% (quite significant discount) in tests and config files.

Attacker would purchase bonds at a bigger discount at the expense of other users.

Recommendations

1. Require twapInterval > 0 and only return TWAP price.
2. Just rely on a trusted oracle like Chainlink for price.

[shalbe-cvg]

Hello, Thanks a lot for your attention.

As you've noticed it, the risk is already mitigated thanks to a fixed allowed delta difference between the prices. Just to clarify, the 10% set in the test files is not the value we're going to put in production when the protocol will be deployed.

We have so to consider this issue as Invalid.