search

sherlock-audit / 2024-06-makerdao-endgame-judging

1 stars 1 forks source link

hash - Oracle manipulation can affect flapper since OSM is not used #111

Closed sherlock-admin4 closed 1 month ago

sherlock-admin4 commented 1 month ago

hash

Medium

Oracle manipulation can affect flapper since OSM is not used

Summary

Oracle manipulation can affect flapper since OSM is not used

Vulnerability Detail

The current version of PIP_MKR is not an implementation of OSM and hence the price is read as is without any delay and also lacks the freezing functionality in case of any malicious update The flapper contracts uses this price to estimate how much of gem should be obtained when it sells dai and hence a malicious oracle operator collusion could result in malicious prices which would be used immediately by this contract. This can result in the flapper contract selling dai for very low prices causing a loss to the protocol

Impact

Malicious oracle operator collusion can cause flapper contract to sell dai at low prices

Code Snippet

https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/dba30d7a676c20dfed3bda8c52fd6702e2e85bb1/dss-flappers/deploy/FlapperInit.sol#L128

Tool used

Manual Review

Recommendation

Implement OSM for MKR

sunbreak1211 commented 1 month ago

No, we are on purpose not using OSMs as we need live prices. This won't work with delayed prices as the OSM provides. Oracle manipulation is out of the scope of the contest.