ravikiran.web3 - OracleModule::updatePythPrice() as external function, offchain oracle price can be manipulated by delayed Order owners to derive benefit #66
OracleModule::updatePythPrice() as external function, offchain oracle price can be manipulated by delayed Order owners to derive benefit
Summary
updatePythPrice() function which is used to set the Pyth network(Offchain) price can be used to set price favourable to caller's delayed announced order
Vulnerability Detail
Delayed Orders that are pushed into the queue will qualify to execute at a time, that can be computed as below.
executableAtTime = blocktime + minExecutabilityAge
So, order owner can plan and update the Offchain price for the time window and then call executeOrder() to benefit from the manipulated price. The price manipulation is limited as it is being compared against the onchain price, but there is still a scope for order owners to compete and update the offchain prices to max possible deviation from the onchain price.
Impact
Potential for limited manipulation of offchain oracle price. The limited manipulation of price will applied to volume of asset in the order can have larger impact.
Potentially, the function was left public so that it can be called from the below function via the OracleModifiers. The approach looks like there are certain parties in the protocol that will participate in execution of below functions. These participants will also play a role in maintaining the offchain oracle price.
1) executeOrder
2) executeLimitOrder
3) liquidate
Solution:
The recommendation is to whitelist these participants so to restrict the access to update offchain oracle price. Only a limited and trusted parties are able to update and maintain the offchain oracle price.
ravikiran.web3
medium
OracleModule::updatePythPrice() as external function, offchain oracle price can be manipulated by delayed Order owners to derive benefit
Summary
updatePythPrice() function which is used to set the Pyth network(Offchain) price can be used to set price favourable to caller's delayed announced order
Vulnerability Detail
Delayed Orders that are pushed into the queue will qualify to execute at a time, that can be computed as below. executableAtTime = blocktime + minExecutabilityAge
So, order owner can plan and update the Offchain price for the time window and then call executeOrder() to benefit from the manipulated price. The price manipulation is limited as it is being compared against the onchain price, but there is still a scope for order owners to compete and update the offchain prices to max possible deviation from the onchain price.
Impact
Potential for limited manipulation of offchain oracle price. The limited manipulation of price will applied to volume of asset in the order can have larger impact.
Code Snippet
updatePythPrice() function https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/OracleModule.sol#L64-L76
executeOrder() can be called for any pending order that qualifies execution. https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/DelayedOrder.sol#L378-L410
Tool used
Manual Review
Recommendation
Potentially, the function was left public so that it can be called from the below function via the OracleModifiers. The approach looks like there are certain parties in the protocol that will participate in execution of below functions. These participants will also play a role in maintaining the offchain oracle price.
1) executeOrder 2) executeLimitOrder 3) liquidate
Solution: The recommendation is to whitelist these participants so to restrict the access to update offchain oracle price. Only a limited and trusted parties are able to update and maintain the offchain oracle price.
Duplicate of #59