Open hats-bug-reporter[bot] opened 3 weeks ago
This is known and intended behaviour. Idea is we update maxPriceIncrease
periodically. As mentioned in the README, that variable is a:
Guard rail to ensure that a faulty oracle bot does not increase price arbitrarily
maxPriceIncrease
.
Github username: -- Twitter username: -- Submission hash (on-chain): 0x80e80c19c9f14780d49700596673f32a3f25f27b6f197db4cf053ecf529515e9 Severity: high
Description: Description\ The YieldOracle contract implements a maxPriceIncrease check to prevent large price jumps, but this protection only considers the immediate price change:
The flaw is that while each individual update is limited to maxPriceIncrease (default 0.1e18 or 10%), there's no restriction on cumulative price changes over time.
A malicious oracle could perform multiple small updates in succession to achieve a larger price movement than intended.
Attack Scenario\ Initial price is 1.0 (scaled to 1e18)
Oracle wants to manipulate price to 2.0, but maxPriceIncrease is 0.1e18 (10%)
Oracle executes multiple updates:
Update 1: 1.0 → 1.1 (+10%)
Update 2: 1.1 → 1.21 (+10%)
Update 3: 1.21 → 1.331 (+10%)
And so on until reaching target price
Each update passes the maxPriceIncrease check, but cumulative change is much larger
Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)
contract YieldOracle { // Add state variables for tracking price movement uint256 public constant WINDOW_SIZE = 1 days; uint256 public constant MAX_CUMULATIVE_CHANGE = 0.3e18; // 30% max change per day
}