ctf-sec
commented
1 year ago Valid issue. but protocol will only deploy it at mainnet, for now, cc sponsor @wminshew
Closed sherlock-admin closed 1 year ago
ctf-sec
commented
1 year ago Valid issue. but protocol will only deploy it at mainnet, for now, cc sponsor @wminshew
obront
medium
Oracle is susceptible to attacks if deployed on Optimism
Summary
While the system is currently being deployed only on mainnet, the phrasing seems to imply it will be deployed elsewhere in the future. Optimism produces a new block per transaction and uses L1's
block.timestampfor each block, which makes the UniV3 oracle vulnerable to manipulation.Vulnerability Detail
The current oracle implementation is based on Uniswap V3 oracles, which use the accumulated ticks saved on an individual pool to determine the price over a given time range.
This works because, for the first swap of each block, the
swap()function stores the accumulated ticks up until that price was changed, which ensures that we are always properly weighting previous prices and not allowing in-block transactions to change the value returned by the TWAP.However, Optimism has a few quirks that make this model prone to manipulation:
1) Every transaction is confirmed as an individual block. 2) The block.timestamp of a transaction reflects the block.timestamp of the last L1 block ingested by the Sequencer.
The latency created in this process dramatically reduces the cost of manipulating the pool, and could create risk for Swappers relying on the oracle. As expressed in the Uniswap Docs: "Uniswap pools on Optimism are not suitable for providing oracle prices, as this high-latency block.timestamp update process makes the oracle much less costly to manipulate."
(Note: I'm aware that this will currently be deployed to mainnet only, but the response was phrased "just mainnet for now". This implies that it will be deployed on other networks in the future, and it seems likely that the system will not be reaudited before these deployments. Thus, it seems important to raise issues like this to ensure the oracle isn't deployed to networks where it will not function.)
Impact
If the system is deployed to Optimism, the oracle will be prone to manipulation, which could lead to funds being stolen from Swappers.
Code Snippet
https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-oracle/src/UniV3OracleImpl.sol#L274-L284
Tool used
Manual Review
Recommendation
Before deploying this system to Optimism, be sure to have launched a new oracle that doesn't not rely on Uniswap V3.