Oracle manipulation can affect flapper since OSM is not used
Summary
Oracle manipulation can affect flapper since OSM is not used
Vulnerability Detail
The current version of PIP_MKR is not an implementation of OSM and hence the price is read as is without any delay and also lacks the freezing functionality in case of any malicious update
The flapper contracts uses this price to estimate how much of gem should be obtained when it sells dai and hence a malicious oracle operator collusion could result in malicious prices which would be used immediately by this contract. This can result in the flapper contract selling dai for very low prices causing a loss to the protocol
Impact
Malicious oracle operator collusion can cause flapper contract to sell dai at low prices
No, we are on purpose not using OSMs as we need live prices. This won't work with delayed prices as the OSM provides. Oracle manipulation is out of the scope of the contest.
hash
Medium
Oracle manipulation can affect flapper since OSM is not used
Summary
Oracle manipulation can affect flapper since OSM is not used
Vulnerability Detail
The current version of PIP_MKR is not an implementation of OSM and hence the price is read as is without any delay and also lacks the freezing functionality in case of any malicious update The flapper contracts uses this price to estimate how much of
gem
should be obtained when it sellsdai
and hence a malicious oracle operator collusion could result in malicious prices which would be used immediately by this contract. This can result in the flapper contract selling dai for very low prices causing a loss to the protocolImpact
Malicious oracle operator collusion can cause flapper contract to sell dai at low prices
Code Snippet
https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/dba30d7a676c20dfed3bda8c52fd6702e2e85bb1/dss-flappers/deploy/FlapperInit.sol#L128
Tool used
Manual Review
Recommendation
Implement OSM for MKR