Owner can update the oracle anytime to feed the wrong price.
Summary
Trader's flash() transaction can be frontrunned by malicious swapper owner.
Vulnerability Detail
Swapper owner can keep track of mempool and changes oracle address before flash() transaction is accepted.
Changing to a malicious oracle could lead to incorrect quoteAmount in the flash() function and trader might end up giving out more funds than deserved.
warRoom
high
Owner can update the oracle anytime to feed the wrong price.
Summary
Trader's
flash()
transaction can be frontrunned by malicious swapper owner.Vulnerability Detail
Swapper owner can keep track of mempool and changes oracle address before
flash()
transaction is accepted. Changing to a malicious oracle could lead to incorrect quoteAmount in theflash()
function and trader might end up giving out more funds than deserved.Impact
Loss of traders funds.
Code Snippet
https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-swapper/src/SwapperImpl.sol#L231 https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-swapper/src/SwapperImpl.sol#L163-L166
Tool used
Manual Review
Recommendation