search

sherlock-audit / 2023-12-flatmoney-judging

11 stars 9 forks source link

ravikiran.web3 - OracleModule::updatePythPrice() as external function, offchain oracle price can be manipulated by delayed Order owners to derive benefit #66

Closed sherlock-admin2 closed 8 months ago

sherlock-admin2 commented 8 months ago

ravikiran.web3

medium

OracleModule::updatePythPrice() as external function, offchain oracle price can be manipulated by delayed Order owners to derive benefit

Summary

updatePythPrice() function which is used to set the Pyth network(Offchain) price can be used to set price favourable to caller's delayed announced order

Vulnerability Detail

Delayed Orders that are pushed into the queue will qualify to execute at a time, that can be computed as below. executableAtTime = blocktime + minExecutabilityAge

So, order owner can plan and update the Offchain price for the time window and then call executeOrder() to benefit from the manipulated price. The price manipulation is limited as it is being compared against the onchain price, but there is still a scope for order owners to compete and update the offchain prices to max possible deviation from the onchain price.

Impact

Potential for limited manipulation of offchain oracle price. The limited manipulation of price will applied to volume of asset in the order can have larger impact.

Code Snippet

updatePythPrice() function https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/OracleModule.sol#L64-L76

executeOrder() can be called for any pending order that qualifies execution. https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/DelayedOrder.sol#L378-L410

Tool used

Manual Review

Recommendation

Potentially, the function was left public so that it can be called from the below function via the OracleModifiers. The approach looks like there are certain parties in the protocol that will participate in execution of below functions. These participants will also play a role in maintaining the offchain oracle price.

1) executeOrder 2) executeLimitOrder 3) liquidate

Solution: The recommendation is to whitelist these participants so to restrict the access to update offchain oracle price. Only a limited and trusted parties are able to update and maintain the offchain oracle price.

Duplicate of #59

sherlock-admin commented 8 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid