Closed sherlock-admin2 closed 8 months ago
It's not clear that the supplyFactor can be manipulated. The supply factor increases as a function of time and the utilization of the market, it cannot be directly manipulated significantly over short time intervals. Over long time intervals this is just called borrowing.
In Compund V2, it can be manipulated by donating tokens to the protocol, however, Notional V3 does not account for donated tokens to the protocol.
1 comment(s) were left on this issue during the judging contest.
takarez commented:
vlaid because { This is valid high findings}
Agree with @jeffywu on this one - the supply factor can not be manipulated. With a rebalance cooldown of five hours, the supply factor will reflect how much interest has actually been earned over the past five hours. Because it looks at actual interest earned over the period and not the current interest rate at the time, it is not vulnerable to the kind of manipulation you're describing here as I understand it.
xiaoming90
high
Oracle supply rate is vulnerable to manipulation
Summary
Malicious users could manipulate the oracle rate to perform market/price manipulation, which could lead to loss of funds.
For instance, malicious users could depress the rate, which causes portfolio values to decrease and liquidate the victims. On the other hand, malicious users could increase the rate to inflate their portfolio values to over-borrow, resulting in the protocol incurring bad debt and affecting the insolvency of the protocol.
Vulnerability Detail
Based on the test script in the audit repository, the
rebalancingCooldownInSeconds
is set to around 5 hours. Assume that the rebalancing cooldown is set to 5 hours in this report.With the rebalancing cooldown in place, this means that a rebalance can only be executed once every 5 hours unless the external lending is unhealthy, which in this case can be executed immediately. The rebalance is triggered by the rebalancing bots.
https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/contracts-v3/contracts/external/actions/TreasuryAction.sol#L309
During the rebalancing, the oracle supply rate will be updated if the cool-down has passed. Refer to Line 328 below.
https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/contracts-v3/contracts/external/actions/TreasuryAction.sol#L328
Within the
_updateOracleSupplyRate
function below, the comment at Line 343 mentioned that it is important to use a TWAP oracle here to ensure that this fCash is not subject to market manipulation. However, upon reviewing theupdateRateOracle
function, it was observed that it does not implement any TWAP. The oracle supply rate is computed based on the current spot value of thepr.supplyFactor
, which can be manipulated.The oracle supply rate can be simplified as follows (ignoring the precision accuracy and ordering for simplicity's sake):
If one could inflate the
pr.supplyFactor
, the oracle supply rate will be inflated.Assuming that the cooldown has passed and the bots submit a rebalance TX, a malicious user could front-run the rebalance TX and inflate the
pr.supplyFactor
. When the rebalance TX is executed, the inflated oracle supply rate will immediately be stored in the storage at Line 372 below.The attacker back-runs the rebalance TX to exploit the inflated/manipulated oracle rate and subsequently potentially use the ill-gain assets to repay the flash loan if it is used to manipulate the fCash market earlier. Flash-loan is not required if the attacker is well-funded.
https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/contracts-v3/contracts/external/actions/TreasuryAction.sol#L346
Impact
Malicious users could manipulate the oracle rate to perform market/price manipulation, which could lead to loss of funds.
For instance, malicious users could depress the rate, which causes portfolio values to decrease and liquidate the victims. On the other hand, malicious users could increase the rate to inflate their portfolio values to over-borrow, resulting in the protocol incurring bad debt and affecting the insolvency of the protocol.
Code Snippet
https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/contracts-v3/contracts/external/actions/TreasuryAction.sol#L309
https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/contracts-v3/contracts/external/actions/TreasuryAction.sol#L328
https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/contracts-v3/contracts/external/actions/TreasuryAction.sol#L346
Tool used
Manual Review
Recommendation
Implement a TWAP similar to the one within the
InterestRateCurve.updateRateOracle
function.