In OracleMaker share value is being calculated using the current oracle price. As pyth oracle can return different prices in same transaction malicious users can extract value from OracleMaker by depositing at a lower price and withdrawing at higher price which is an instant arbitrage opportunity.
Vulnerability Detail
The Pyth network oracle contract allows to submit and read two different prices in the same transaction. So pyth can return different prices in the same trasaction. So an attacker can use these price difference to play arbitrage by depositing huge amount of margin at lower price using flashloan and withdrawing the margin at higher price.
The price of ETH(base Asset) at time 10 seconds is 3500 and 3510 at 60 seconds.
Attacker first submits price at 20 seconds to the pyth oracle and calls deposit of OracleMaker (as _maxPriceAge is 60 seconds price at 10 seconds will be valid since its age is only 50 seconds).
Attacker then submits the price at 50 seconds to the pyth oracle and then calls withdraw function (price at 60 seconds is also valid as its age is 0 seconds).
If the maker has a long position depositing at 3500 price and withdrawing at 3510 will make attacker some profit because share value of OracleMaker will increase as the accountValueincreases(long position) if the price increases.
So an attacker can make an arbitrage profit using the small differences in the prices by depositing huge amount of funds using a flash loan.
Impact
An attacker can extract value from the OracleMaker using arbitrage opportunities.
jokr
high
Instant arbitrage oppurtunity in OracleMaker
Summary
In
OracleMaker
share value is being calculated using the current oracle price. As pyth oracle can return different prices in same transaction malicious users can extract value fromOracleMaker
by depositing at a lower price and withdrawing at higher price which is an instant arbitrage opportunity.Vulnerability Detail
The Pyth network oracle contract allows to submit and read two different prices in the same transaction. So pyth can return different prices in the same trasaction. So an attacker can use these price difference to play arbitrage by depositing huge amount of margin at lower price using flashloan and withdrawing the margin at higher price.
Ref: https://github.com/sherlock-audit/2023-12-flatmoney-judging/issues/216
Consider this scenario
block.timestamp
is 60 seconds.OracleMaker
(as_maxPriceAge
is 60 seconds price at 10 seconds will be valid since its age is only 50 seconds).accountValue
increases(long position) if the price increases.Impact
An attacker can extract value from the
OracleMaker
using arbitrage opportunities.Code Snippet
OracleMaker.sol#L201-L204
OracleMaker.sol#L242
Tool used
Manual Review
Recommendation
Introduce delay in withdraw function of
OracleMaker
.Duplicate of #123