Github username: --
Submission hash (on-chain): 0xdd8b44e1ca79e32073cd25eb4ebfbbe7b0f2632587ec730c898465caa571c654
Severity: high severity
Description:
Summary
The vulnerability arises from the dependence on the total_supply value within the calculate_lp_token_price function. By manipulating the totalSupply of the pool using a flash loan, an attacker could potentially distort the fair reserves used in the LP token price calculation.
Description
The calculate_lp_token_price function is responsible for calculating the LP token price based on the fair reserves of a Balancer pool. It takes several parameters including the totalSupply, price0, price1, reserve0, and reserve1 of the pool. The calculation involves dividing the fair reserves by the totalSupply to determine the LP token price.
However, the issue arises when the totalSupply value is manipulated through a flash loan attack. By artificially inflating the totalSupply using a flash loan, an attacker can distort the fair reserves used in the price calculation. This manipulation can result in incorrect LP token prices being calculated and returned by the calculate_lp_token_price function.
Furthermore, since the calculate_lp_token_price function is utilized within the get_lp_price function, any incorrect LP token prices generated due to the manipulation of total_supply can propagate through subsequent calculations and affect the overall pricing accuracy in the getVeloPrice() of VMEXOracle.sol contract.
Code snippet
function calculate_lp_token_price(
uint256 total_supply,
uint256 price0,
uint256 price1,
uint256 reserve0,
uint256 reserve1
) internal pure returns (uint256) {
uint256 a = vMath.nthroot(2, reserve0 * reserve1); //square root
uint256 b = vMath.nthroot(2, price0 * price1); //this is in decimals of chainlink oracle
//we want a and total supply to have same number of decimals so c has decimals of chainlink oracle
uint256 c = 2 * a * b / total_supply;
return c;
}
Github username: -- Submission hash (on-chain): 0xdd8b44e1ca79e32073cd25eb4ebfbbe7b0f2632587ec730c898465caa571c654 Severity: high severity
Description:
Summary
The vulnerability arises from the dependence on the
total_supplyvalue within thecalculate_lp_token_pricefunction. By manipulating the totalSupply of the pool using a flash loan, an attacker could potentially distort the fair reserves used in the LP token price calculation.Description
The
calculate_lp_token_pricefunction is responsible for calculating the LP token price based on the fair reserves of a Balancer pool. It takes several parameters including the totalSupply, price0, price1, reserve0, and reserve1 of the pool. The calculation involves dividing the fair reserves by the totalSupply to determine the LP token price.However, the issue arises when the totalSupply value is manipulated through a flash loan attack. By artificially inflating the totalSupply using a flash loan, an attacker can distort the fair reserves used in the price calculation. This manipulation can result in incorrect LP token prices being calculated and returned by the
calculate_lp_token_pricefunction.Furthermore, since the
calculate_lp_token_pricefunction is utilized within theget_lp_pricefunction, any incorrect LP token prices generated due to the manipulation oftotal_supplycan propagate through subsequent calculations and affect the overall pricing accuracy in thegetVeloPrice()ofVMEXOracle.solcontract.Code snippet
Recommendation
use Twap price