Closed sherlock-admin3 closed 1 month ago
This is clearly described in the scope: "The migration is supposed to run at the spell, where nst and ngt are init. Since until that point ngt is not in circulation the pool can not be deposited to, and hence its total supply would still be 0."
If there is not NGT supply, nothing can be donated.
Random_dude
High
tampering NST-NGT TWAP price during migration
Summary
The
https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/univ2-pool-migrator/deploy/UniV2PoolMigratorInit.sol
only check if the uniswap V2 pair contract has a total supply of 0 or not, to continue the migrationhttps://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/univ2-pool-migrator/deploy/UniV2PoolMigratorInit.sol#L50
, and during this migration the uniswap v2 pair will record the price during initialization, its essentialy setting up the initial price, and when the next _update() call happened in the pair, it will record how long those price hold, and update the price0cummulative, and price1cummulative. these variable can be used by other contract or off-chain actor to get the TWAP price of an asset in a certain time-frame.These steps are:
step 2 is the most important part
The problem is the UniV2PoolMigration contract didn't check whether or not the price0cummulative, and price1cummulative, of the pool is already initialize or not, or the reserve0 and reserve1 is empty or not, this makes other people can initialize the price for the assets with whatever they want, which make other contract or off-chain actor to get bad price data, especially during the initial migration process.
Since this is a new asset, most CEX probably will not provided the CEX oracle data, and the oracle will use the malicious TWAP price of the uniswap v2 pair instead, which can be attacked during migration. This will definitely has an effect for the whole ecosystem of maker, especially on the NST and NGT assets.
Root Cause
missing reserve0 and reserve1 check in the The
https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/univ2-pool-migrator/deploy/UniV2PoolMigratorInit.sol
Internal pre-conditions
A whale can trigger and tamper the TWAP price of the uniswap V2 Pair NGT-NST
External pre-conditions
a whale can trigger and tamper the TWAP price of the uniswap V2 Pair NGT-NST
Attack Path
Now if the some actor tries to calculate the TWAP price for some time after migration, this will give an incorrect TWAP price.
Impact
Wrong initial oracle price during migration.
PoC
I modified the Deployment.t.sol in the univ2-pool-migrator
and i also make a simple twap contract to check the average price of an asset
In this POC the random_dude, does lose some funds during this attack, However, manipulating TWAP price usually cost a lot more on a pair that already stabilize.
Mitigation
add another check in the UniV2PoolMigratorInit.sol, before continuing with the migration.