Using AMM as an Oracle can lead to price manipulation attacks via flashLoan
Summary
The protocol uses PT Oracle to fetch the price of tokens, but Pendle is an AMM as well which makes it really susceptible to price manipulation attacks by using of flashloans.
Vulnerability Detail
Using AMM as oracle is not secure. As the recent hack of UWU lend, root cause of which is also Price manipulation attacks via flashloans.
Where attacker was able to influence the price oracle by carrying out significant transactions in the CurveFinance pool forms the basis of this attack. The attacker was able to take advantage of the falsified price of the sUSDE token and withdraw more assets from the pool as a result of this manipulation.
Similarly an attacker can carry out significant transactions flashloans from Pendle AMM and that will manipulate the price of tokens on the Oracle.
Which again is used by Notional Leverage Vaults, so the price of their assets
will also be manipulated.
Articles related to UWU lend which faced a similar attack, is linked below
Link1Link2
Although this can be just considered as a design choice by the protocol.
unRekt
Medium
Using AMM as an Oracle can lead to price manipulation attacks via flashLoan
Summary
The protocol uses PT Oracle to fetch the price of tokens, but Pendle is an AMM as well which makes it really susceptible to price manipulation attacks by using of flashloans.
Vulnerability Detail
Using AMM as oracle is not secure. As the recent hack of UWU lend, root cause of which is also Price manipulation attacks via flashloans. Where attacker was able to influence the price oracle by carrying out significant transactions in the CurveFinance pool forms the basis of this attack. The attacker was able to take advantage of the falsified price of the sUSDE token and withdraw more assets from the pool as a result of this manipulation.
Similarly an attacker can carry out significant transactions flashloans from Pendle AMM and that will manipulate the price of tokens on the Oracle. Which again is used by Notional Leverage Vaults, so the price of their assets will also be manipulated. Articles related to UWU lend which faced a similar attack, is linked below Link1 Link2
Although this can be just considered as a design choice by the protocol.
Contract: https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/14d3eaf0445c251c52c86ce88a84a3f5b9dfad94/leveraged-vaults-private/contracts/oracles/PendlePTOracle.sol#L1-L155
Impact
Using AMM as an Oracle makes the protocol vulnerable to price manipulation attacks
Code Snippet
Tool used
Manual Review
Recommendation
Use other oracle services like Chainlink to fetch the price of assets/tokens.