PriceOracle Does Not Filter Price Feed Outliers and triggerDepeg is vulnerable to flash loan attacks
Summary
If Chainlink oracle returns a malformed price due to oracle manipulation or a malfunctioned price, anyone can make call to triggerDepeg and Trigger depeg event.
Vulnerability Detail
If for whatever reason the Chainlink oracle returns a malformed price due to oracle manipulation or a malfunctioned price, the result will be passed onto users, causing unintended consequences as a result.
In the same time it's possible to construct mitigation mechanics for such cases, so user economics be affected by sustainable price movements only. As price outrages provide a substantial attack surface for the project it's worth adding some complexity to the implementation.
The above code outlines how prices are utilised , the code just check price is more than zero.
if (int256(premiumVault.strike()) <= price)
revert PriceNotAtStrikePrice(price);
And only check for depeg is strike become > price. for example if strike price is 1$, attacker just need to manuplate oracle price in one block and decrease it from 1$ to 0.99 $.
Impact
If Chainlink oracle returns a malformed price due to oracle manipulation or a malfunctioned price "for example flash-loan", anyone can make call to triggerDepeg and Trigger depeg event using price manipulation.
Consider querying both the Chainlink oracle and Uniswap pool for latest prices, ensuring that these two values are within some upper/lower bounds of each other. It may also be useful to track historic values and ensure that there are no sharp changes in price. However, the first option provides a level of simplicity as UniswapV3's TWAP implementation is incredibly resistant to flash loan attacks. Hence, the main issue to address is a malfunctioning Chainlink oracle.
Saeedalipoor01988
high
PriceOracle Does Not Filter Price Feed Outliers and triggerDepeg is vulnerable to flash loan attacks
Summary
If Chainlink oracle returns a malformed price due to oracle manipulation or a malfunctioned price, anyone can make call to triggerDepeg and Trigger depeg event.
Vulnerability Detail
If for whatever reason the Chainlink oracle returns a malformed price due to oracle manipulation or a malfunctioned price, the result will be passed onto users, causing unintended consequences as a result.
In the same time it's possible to construct mitigation mechanics for such cases, so user economics be affected by sustainable price movements only. As price outrages provide a substantial attack surface for the project it's worth adding some complexity to the implementation.
The above code outlines how prices are utilised , the code just check price is more than zero.
And only check for depeg is strike become > price. for example if strike price is 1$, attacker just need to manuplate oracle price in one block and decrease it from 1$ to 0.99 $.
Impact
If Chainlink oracle returns a malformed price due to oracle manipulation or a malfunctioned price "for example flash-loan", anyone can make call to triggerDepeg and Trigger depeg event using price manipulation.
Code Snippet
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Controllers/ControllerPeggedAssetV2.sol#L313 https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Controllers/ControllerPeggedAssetV2.sol#L64
Tool used
Manual Review
Recommendation
Consider querying both the Chainlink oracle and Uniswap pool for latest prices, ensuring that these two values are within some upper/lower bounds of each other. It may also be useful to track historic values and ensure that there are no sharp changes in price. However, the first option provides a level of simplicity as UniswapV3's TWAP implementation is incredibly resistant to flash loan attacks. Hence, the main issue to address is a malfunctioning Chainlink oracle.