search

sherlock-audit / 2024-04-teller-finance-judging

10 stars 9 forks source link

BoRonGod - Deviation in oracle price could lead to arbitrage in high LTV markets #231

Closed sherlock-admin3 closed 3 months ago

sherlock-admin3 commented 4 months ago

BoRonGod

medium

Deviation in oracle price could lead to arbitrage in high LTV markets

Summary

Deviation in oracle price could lead to arbitrage in high LTV markets.

Vulnerability Detail

In LenderCommitmentGroup_Smart, the maximum amount a user can borrow is calculated with the conversion rate between two assets in a uniV3 pool:

function getCollateralRequiredForPrincipalAmount(uint256 _principalAmount)
    public
    view
    returns (uint256)
{
    uint256 baseAmount = _calculateCollateralTokensAmountEquivalentToPrincipalTokens(
            _principalAmount
        );

    //this is an amount of collateral
    return baseAmount.percent(collateralRatio);
}

_calculateCollateralTokensAmountEquivalentToPrincipalTokens is calculated by calling uniV3 oracle's observe()function, which returns a TWAP value.

function _calculateCollateralTokensAmountEquivalentToPrincipalTokens(
    uint256 principalTokenAmountValue
) internal view returns (uint256 collateralTokensAmountToMatchValue) {
    ...
    uint256 pairPriceWithTwap = _getUniswapV3TokenPairPrice(twapInterval);
    uint256 pairPriceImmediate = _getUniswapV3TokenPairPrice(0);
    ...
}

However, Uniwap V3 TWAP update is susceptible to front-running as their prices tend to lag behind an asset's real-time price. (More specifically: Uniwap V3 TWAP returns the average price over the past X number of blocks, which means it will always lag behind the real-time price.)

For Teller, this becomes profitable when the price deviation is sufficiently large for an attacker to open positions that become bad debt.

Impact

All profit gained from arbitrage causes a loss of funds for lenders as the remaining bad debt is socialized by them.

Code Snippet

https://github.com/sherlock-audit/2024-04-teller-finance/blob/main/teller-protocol-v2-audit-2024/packages/contracts/contracts/LenderCommitmentForwarder/extensions/LenderCommitmentGroup/LenderCommitmentGroup_Smart.sol#L634-L663

Tool used

Manual Review

Recommendation

Consider implementing a borrowing fee to mitigate against arbitrage opportunities. Ideally, this fee would be larger than the oracle's maximum price deviation so that it is not possible to profit from arbitrage.

Multiple solutions may be studied:

Further possible mitigations have also been explored by other protocols: • Angle Protocol: Oracles and Front-RunningLiquity: The oracle conundrum

nevillehuang commented 4 months ago

request poc

This is likely invalid, given

  1. Protocol always checks for TWAP price and spot price and uses whichever is in favor of the protocol as seen here
  2. There is no concept of value based liquidations within teller per teller docs as seen here
sherlock-admin4 commented 4 months ago

PoC requested from @BoRonG0d

Requests remaining: 9

BoRonG0d commented 4 months ago

Hi @nevillehuang

  1. The spot price doesn't matter here, since it can be easily manipulated by flashloan at a small cost.
  2. The bad debt I mentioned in my report do not need to profit from liquidation. arbitragers have simply acquired asset in Teller at a discounted price, and their time-based borrowing is still valid, even if they have become bad debt based on price.
nevillehuang commented 4 months ago

@BoRonG0d Can you provide me an indepth example of how the bad debt occurs here? Your issue is quite vague