Nadin - Curve oracle manipulation possible with read only reentrancy in `get_virtual_price`. And curve pool uses vulnerable vyper version.

[sherlock-admin2]

Nadin

high

Curve oracle manipulation possible with read only reentrancy in get_virtual_price. And curve pool uses vulnerable vyper version.

Summary

get_virtual_price() was originally considered to be a manipulation-resistant price - suitable as a price oracle, but it was later found to be vulnerable to a read-only reentrancy attack. The attacker could use this to artificially inflate the price of the LP token/its balance, and use the inflated balance to take out loans which become undercollateralized at the end of the transaction, or to buy assets at exchange rates not actually available on the open market.

Vulnerability Detail

https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/oracles/providers/CurveV1StableEthOracle.sol#L155 https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/oracles/providers/CurveV2CryptoEthOracle.sol#L165 https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/stats/calculators/CurveV1PoolNoRebasingStatsCalculator.sol#L22 https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/stats/calculators/CurveV1PoolRebasingStatsCalculator.sol#L23

• get_virtual_price() is used in the above functions. It can easily be manipulated with read-only reentrancy and the attack is well explained in this article.
• On sunday 31-07-2023, a zero-day affecting vyper compiler versions v0.2.15-0.3.0 has been found and exploited in order to drain multiple curve pools.
• Although no concrete exploit has been found as a result of the non-working reentrancy lock: https://twitter.com/CurveFinance/status/1685925429041917952 https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/oracles/providers/CurveV1StableEthOracle.sol#L1 https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/oracles/providers/CurveV2CryptoEthOracle.sol#L1 https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/stats/calculators/CurveV1PoolNoRebasingStatsCalculator.sol#L1 https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/stats/calculators/CurveV1PoolRebasingStatsCalculator.sol#L1

  Tool used

  Manual review

  Impact

  Curve classic problem read-only reentrant, get_virtual_price can be manipulated which is used for pricing LP tokens.

  Code Snippet

  https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/oracles/providers/CurveV1StableEthOracle.sol#L155 https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/oracles/providers/CurveV2CryptoEthOracle.sol#L165 https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/stats/calculators/CurveV1PoolNoRebasingStatsCalculator.sol#L22 https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/stats/calculators/CurveV1PoolRebasingStatsCalculator.sol#L23

  Tool used

Manual Review

Recommendation

Use TWAP to determine the prices of the underlying assets in the pool. Or Add a reentrancy guard to protect against reentrancy.

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

Trumpero commented:

invalid, the read-only reentrant has been prevented by protocol using withdraw_admin_fees().