Open hats-bug-reporter[bot] opened 3 weeks ago
As you say
attacker can only profit from price differences across minimum two update cycles
that's the intended effect; while the user would collect one batch of yield profit, Eurodollar should also produce proportional yield. This might be the best profit scenario for the user but on average it should not negatively affect the protocol/organization economically as far as I can tell.
Github username: -- Twitter username: 0xgreed_ Submission hash (on-chain): 0x4c9c017bf1a635da2de09e3e7b88ff6d73ed640ea8b4d4bc156e07e7147ba8a5 Severity: medium
Description:
Relevant Context
The
YieldOracle
contract manages price updates through a two-step process:updatePrice()
to set a new pricecommitPrice()
to make the price effectiveThe contract tracks three price values:
previousPrice
: Used forsharesToAssets()
calculationscurrentPrice
: Used forassetsToShares()
calculationsnextPrice
: Pending price waiting to be committedFinding Description
The two-step price update mechanism combined with the use of
previousPrice
for share-to-asset conversions creates an opportunity of a high return trade. An attacker can monitor forcommitPrice()
transactions and execute the following attack:commitPrice()
transaction by buying tokens when price is lowThe vulnerability is exacerbated by using
previousPrice
insharesToAssets()
instead ofcurrentPrice
, which means the attacker can only profit from price differences across minimum two update cycles. But this doesn't mean the attack is not profitable and not possible.Impact Explanation
Medium. This vulnerability allows attackers to extract value from the protocol by exploiting price updates, while not participating to the benefit of the protocol.
Likelihood Explanation
Medium. The attack requires no special permissions or complex setup, just the ability to monitor and front-run transactions which is common in DeFi. The profit potential makes this attack highly likely to be exploited by any attacker and mev searchers.
Proof of Concept
commitPrice()
transaction (which is with a higher price than the current one, as the protocol force it)assetsToShares()
at current low pricecommitPrice()
executes, setting new highernextPrice
sharesToAssets()
, profiting from price differenceRecommendation
Add minimum holding periods before shares can be minted.