MEV bot can sandwich attack oracle update transactions to steal the protocol
Summary
This protocol allows users to swap tokens at a fixed price point without slippage. This seems to mitigate the sandwich attacks but it actually transferred the risk from the swap users to the whole protocol. The swap exchange rate is changed when oracle prices update. The attacker can sandwich the price oracle update transaction to profit from the exchange rate fluctuation.
Vulnerability Detail
The swap exchange rate is determined by the prices in the oracle. The oracle price update will change the exchange rate.
The attacker can monitor the mempool for price update transactions. He can frontrun the price update transaction with a swap transaction and backrun with a reverse swap to profit.
Impact
The protocol is subject to sandwich attack and the attacker can steal protocol assets. Note that this sandwich attack affects the whole assets in the pool and is much worse than the single user swap slippage loss we saw in other swaps like uniswap, sushiswap.
Code Snippet
Swap exchange rate is derived from the price in the oracle.
gmx-synthetics also swaps using oracle price. They measure the market impact of the swap and reflect it in the swap result. This could be a reference design to fix the problem.
n33k
high
MEV bot can sandwich attack oracle update transactions to steal the protocol
Summary
This protocol allows users to swap tokens at a fixed price point without slippage. This seems to mitigate the sandwich attacks but it actually transferred the risk from the swap users to the whole protocol. The swap exchange rate is changed when oracle prices update. The attacker can sandwich the price oracle update transaction to profit from the exchange rate fluctuation.
Vulnerability Detail
The swap exchange rate is determined by the prices in the oracle. The oracle price update will change the exchange rate.
The attacker can monitor the mempool for price update transactions. He can frontrun the price update transaction with a swap transaction and backrun with a reverse swap to profit.
Impact
The protocol is subject to sandwich attack and the attacker can steal protocol assets. Note that this sandwich attack affects the whole assets in the pool and is much worse than the single user swap slippage loss we saw in other swaps like uniswap, sushiswap.
Code Snippet
Swap exchange rate is derived from the price in the oracle.
https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/Unitas.sol#L439-L457
https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/SwapFunctions.sol#L203-L215
https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/SwapFunctions.sol#L227-L239
The price is pushed to the oracle contract by calling updatePrices.
https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/XOracle.sol#L34
Tool used
Manual Review
Recommendation
gmx-synthetics also swaps using oracle price. They measure the market impact of the swap and reflect it in the swap result. This could be a reference design to fix the problem.
Duplicate of #67