Closed sherlock-admin closed 1 year ago
1 comment(s) were left on this issue during the judging contest.
Trumpero commented:
invalid, the contract executes an external call to curve pool's owner not to the curve pool. Since the "stETH/ETH ng" doesn't have the public owner() function, the call will revert before execute the reentrancy check. So I classify this report as invalid due incorrect desciption
kutugu
high
Some curve pool oracle prices can be manipulated
Summary
This problem is still a well-known readability problem of curve. The reentrant problem cannot be completely avoided by withdraw_admin_fees detection, because for some pools the withdraw_admin_fees function does not have reentrant protection and cannot detect the reentrant state.
Vulnerability Detail
This section uses stETH/ETH ng and stETH/ETH concentrated as an example, there is no revert in the reentrant state. The attacker can reenter the oracle in the protocol when remove_liquidity transfers ETH. At this time, the get_virtual_price has not changed, and the attacker can use the previous price to carry out arbitrage attacks.
Impact
For some curve pool, oracle prices can be manipulated by reentrant attack.
Code Snippet
Tool used
Manual Review
Recommendation
For special pools, other functions should be used to detect reentrant, such as remove_liquidity