sherlock-admin
commented
1 year ago 2 comment(s) were left on this issue during the judging contest.
141345 commented:
d
panprog commented:
invalid because market (and oracle) owners are trusted
Closed sherlock-admin closed 1 year ago
sherlock-admin
commented
1 year ago 2 comment(s) were left on this issue during the judging contest.
141345 commented:
d
panprog commented:
invalid because market (and oracle) owners are trusted
feelereth
high
_retarget function in the Vault contract is vulnerable to price manipulation from the oracles of the registered markets
Summary
The _retarget function does rely on latestPrice from the market's oracle, which could potentially be manipulated
Vulnerability Detail
the _retarget function in the Vault contract is vulnerable to price manipulation from the oracles of the registered markets. The key parts of _retarget are Link
This calls the update function on the market, passing in the new target position and collateral amounts calculated by the vault's strategy. The problem is that target is calculated based on latestPrice from the market's oracle Link 2 & Link 3
Impact
The latestPrice can be manipulated by the oracle. By reporting a fake price, the oracle can trick the vault into putting more collateral into the market than it should based on the real price. This could allow an attacker to drain collateral from the vault by manipulating prices.
Code Snippet
https://github.com/sherlock-audit/2023-07-perennial/blob/main/perennial-v2/packages/perennial-vault/contracts/Vault.sol#L391-L400 https://github.com/sherlock-audit/2023-07-perennial/blob/main/perennial-v2/packages/perennial-vault/contracts/Vault.sol#L424 https://github.com/sherlock-audit/2023-07-perennial/blob/main/perennial-v2/packages/perennial-vault/contracts/Vault.sol#L359-L363
Tool used
Manual Review
Recommendation
the Vault contract should not rely solely on the price from the market's oracle