Price Manipulation through inputting small values for the same pair logic
Summary
An user could use the Diversifyer template to make a swapper that is exchange weth to eth or vice-verse, this case have been acknowledge by the developer team by checking for the same address, the baseAmount variable could have a very small value that will make a round down possible and allow users to get free funds.
Vulnerability Detail
_getQuoteAmount is responsible inside the Oracle Implementation logic to fetch the price for a pair using the Uniswap V3 TVWAP oracle, in this logic the developers have also treated the case when the swapper is asking for the feed if the base and quote token are the same, this case would be when the beneficiary is looking to exchange weth for eth or vice versa ( this happens because ETH is treated as address(0) inside the contract logic and if the converted tokens are equal then the oracle is not fetching for any price, because it will fail, and it will directly calculate the output using the formula quoteParams_.baseAmount * po.scaledOfferFactor / PERCENTAGE_SCALE; ). If the baseAmount will be 1then the output can be 0 ( 1* 99_00_00/ 100_00_00 ) because of the round down in solidity. Then the swapper will send 1 wei of WETH to the attacker and 0 ETH to the beneficiary, the attack could be run in a loop to maximise profits as the only attack cost is the gas for the transaction.
Impact
Let's take the following example :
Alice received from slipper in her 1:1 swapper WETH that wants to covert to ETH.
Alice have settled a discount of 0,1% as the tokens are fairly expensive and it is a free trade risk for the trader.
The trader calls the flash function with the base amount of 1 .
Trader will receive 1 wei WETH, beneficiary will receive 0 ETH ( no balance deducted from trader ) and swapper will have 1 ether - 1 WETH.
The attack could be run in a loop to maximise profit as the amount returned by the oracle will also be round down to 0.
Add a check inside the function _getQuoteAmount at L#258 that if the result of the equation from L#259
will be 0 or if baseAmount < 9 ( baseAmount needs to be >= 10 to not have a round down ) it will revert
theOwl
medium
Price Manipulation through inputting small values for the same pair logic
Summary
An user could use the Diversifyer template to make a swapper that is exchange weth to eth or vice-verse, this case have been acknowledge by the developer team by checking for the same address, the baseAmount variable could have a very small value that will make a round down possible and allow users to get free funds.
Vulnerability Detail
_getQuoteAmount is responsible inside the Oracle Implementation logic to fetch the price for a pair using the Uniswap V3 TVWAP oracle, in this logic the developers have also treated the case when the swapper is asking for the feed if the base and quote token are the same, this case would be when the beneficiary is looking to exchange weth for eth or vice versa ( this happens because ETH is treated as address(0) inside the contract logic and if the converted tokens are equal then the oracle is not fetching for any price, because it will fail, and it will directly calculate the output using the formula
quoteParams_.baseAmount * po.scaledOfferFactor / PERCENTAGE_SCALE;
). If the baseAmount will be1
then the output can be 0 ( 1* 99_00_00/ 100_00_00 ) because of the round down in solidity. Then the swapper will send 1 wei of WETH to the attacker and 0 ETH to the beneficiary, the attack could be run in a loop to maximise profits as the only attack cost is the gas for the transaction.Impact
Let's take the following example :
POC:
Code Snippet
https://github.com/sherlock-audit/2023-04-splits/blob/7303cc26205f10ca9111be31f3574d2573df92b1/splits-oracle/src/UniV3OracleImpl.sol#L248 https://github.com/sherlock-audit/2023-04-splits/blob/7303cc26205f10ca9111be31f3574d2573df92b1/splits-oracle/src/UniV3OracleImpl.sol#L249 https://github.com/sherlock-audit/2023-04-splits/blob/7303cc26205f10ca9111be31f3574d2573df92b1/splits-oracle/src/UniV3OracleImpl.sol#L258-L260 https://github.com/sherlock-audit/2023-04-splits/blob/7303cc26205f10ca9111be31f3574d2573df92b1/splits-swapper/src/SwapperImpl.sol#L203 https://github.com/sherlock-audit/2023-04-splits/blob/7303cc26205f10ca9111be31f3574d2573df92b1/splits-swapper/src/SwapperImpl.sol#L227 https://github.com/sherlock-audit/2023-04-splits/blob/7303cc26205f10ca9111be31f3574d2573df92b1/splits-swapper/src/SwapperImpl.sol#L231 https://github.com/sherlock-audit/2023-04-splits/blob/7303cc26205f10ca9111be31f3574d2573df92b1/splits-swapper/src/SwapperImpl.sol#L249 https://github.com/sherlock-audit/2023-04-splits/blob/7303cc26205f10ca9111be31f3574d2573df92b1/splits-swapper/src/SwapperImpl.sol#L257
Tool used
Manual Review
Recommendation
if baseAmount < 9
( baseAmount needs to be >= 10 to not have a round down ) it will revertDuplicate of #104