search

sherlock-audit / 2023-03-Y2K-judging

7 stars 1 forks source link

Saeedalipoor01988 - PriceOracle Does Not Filter Price Feed Outliers and triggerDepeg is vulnerable to flash loan attacks #146

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

Saeedalipoor01988

high

PriceOracle Does Not Filter Price Feed Outliers and triggerDepeg is vulnerable to flash loan attacks

Summary

If Chainlink oracle returns a malformed price due to oracle manipulation or a malfunctioned price, anyone can make call to triggerDepeg and Trigger depeg event.

Vulnerability Detail

If for whatever reason the Chainlink oracle returns a malformed price due to oracle manipulation or a malfunctioned price, the result will be passed onto users, causing unintended consequences as a result.

In the same time it's possible to construct mitigation mechanics for such cases, so user economics be affected by sustainable price movements only. As price outrages provide a substantial attack surface for the project it's worth adding some complexity to the implementation.

    AggregatorV3Interface priceFeed = AggregatorV3Interface(
        vaultFactory.tokenToOracle(_token)
    );
    (uint80 roundID, int256 price, , , uint80 answeredInRound) = priceFeed
        .latestRoundData();
    uint256 decimals = priceFeed.decimals();

    if (decimals < 18) {
        decimals = 10**(18 - (decimals));
        price = price * int256(decimals);
    } else if (decimals == 18) {
        price = price;
    } else {
        decimals = 10**((decimals - 18));
        price = price / int256(decimals);
    }

    **if (price <= 0) revert OraclePriceZero();**

    **if (answeredInRound < roundID) revert RoundIDOutdated();**

The above code outlines how prices are utilised , the code just check price is more than zero.

    if (int256(premiumVault.strike()) <= price)
        revert PriceNotAtStrikePrice(price);

And only check for depeg is strike become > price. for example if strike price is 1$, attacker just need to manuplate oracle price in one block and decrease it from 1$ to 0.99 $.

Impact

If Chainlink oracle returns a malformed price due to oracle manipulation or a malfunctioned price "for example flash-loan", anyone can make call to triggerDepeg and Trigger depeg event using price manipulation.

Code Snippet

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Controllers/ControllerPeggedAssetV2.sol#L313 https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Controllers/ControllerPeggedAssetV2.sol#L64

Tool used

Manual Review

Recommendation

Consider querying both the Chainlink oracle and Uniswap pool for latest prices, ensuring that these two values are within some upper/lower bounds of each other. It may also be useful to track historic values and ensure that there are no sharp changes in price. However, the first option provides a level of simplicity as UniswapV3's TWAP implementation is incredibly resistant to flash loan attacks. Hence, the main issue to address is a malfunctioning Chainlink oracle.

hrishibhat commented 1 year ago

Sherlock does not accept issues related to external Oracle price manipulation in general.