Prices for ERC4626 tokens are not flash-loan-resistant
Summary
ERC4626 oracle is vulnerable to price manipulation.
Vulnerability Detail
Based on the getPrice function, the price of the LP token of an ERC4626 vault is dependent on the ERC4626.previewredeem and oracleFacade.getPrice functions. If the value returns by either ERC4626.previewredeem or oracleFacade.getPrice can be manipulated within a single transaction/block, the price of the LP token of an ERC4626 vault is considered to be vulnerable to price manipulation.
Also, previewRedeem() includes fees, so it's not the actual price of the underlying assets. The EIP states that previewRedeem() MUST be inclusive of deposit fees. Integrators should be aware of the existence of deposit fees. Furthermore, the EIP states, The preview methods return values that are as close as possible to exact as possible. For that reason, they are manipulable by altering the on-chain conditions and are not always safe to be used as price oracles. This specification includes convert methods that are allowed to be inexact and therefore can be implemented as robust price oracles. For example, it would be correct to implement the convert methods as using a time-weighted average price in converting between assets and shares. https://eips.ethereum.org/EIPS/eip-4626
Impact
A flash loan may skew the price oracle, leading to the mispricing of assets, leading to loss of funds
Avoid using previewredeem function to calculate the price of the LP token of an ERC4626 vault. Use convertToAssets() or consider implementing TWAP so that the price cannot be inflated or deflated within a single block/transaction or within a short period of time.
peanuts
medium
Prices for ERC4626 tokens are not flash-loan-resistant
Summary
ERC4626 oracle is vulnerable to price manipulation.
Vulnerability Detail
Based on the getPrice function, the price of the LP token of an ERC4626 vault is dependent on the ERC4626.previewredeem and oracleFacade.getPrice functions. If the value returns by either ERC4626.previewredeem or oracleFacade.getPrice can be manipulated within a single transaction/block, the price of the LP token of an ERC4626 vault is considered to be vulnerable to price manipulation.
Also, previewRedeem() includes fees, so it's not the actual price of the underlying assets. The EIP states that previewRedeem() MUST be inclusive of deposit fees. Integrators should be aware of the existence of deposit fees. Furthermore, the EIP states, The preview methods return values that are as close as possible to exact as possible. For that reason, they are manipulable by altering the on-chain conditions and are not always safe to be used as price oracles. This specification includes convert methods that are allowed to be inexact and therefore can be implemented as robust price oracles. For example, it would be correct to implement the convert methods as using a time-weighted average price in converting between assets and shares. https://eips.ethereum.org/EIPS/eip-4626
Impact
A flash loan may skew the price oracle, leading to the mispricing of assets, leading to loss of funds
Code Snippet
https://github.com/sentimentxyz/oracle/blob/e940955eba38562d2e27059787294e458e28fe7e/src/plutus/PLVGLPOracle.sol#L46-L52
Tool used
Manual Review
Recommendation
Avoid using previewredeem function to calculate the price of the LP token of an ERC4626 vault. Use convertToAssets() or consider implementing TWAP so that the price cannot be inflated or deflated within a single block/transaction or within a short period of time.