search

sherlock-audit / 2024-06-velocimeter-judging

11 stars 7 forks source link

cryptic - `OptionTokenV4::getPaymentTokenAmountForExerciseLp` uses the spot price of the `Pair`, which is easily manipulatable #530

Closed sherlock-admin3 closed 3 months ago

sherlock-admin3 commented 3 months ago

cryptic

Medium

OptionTokenV4::getPaymentTokenAmountForExerciseLp uses the spot price of the Pair, which is easily manipulatable

Summary

OptionTokenV4::getPaymentTokenAmountForExerciseLp uses the spot price of the Pair to calculate the amount of liquidity to add, which is easily manipulatable.

A malicious user can manipulate the reserves for their benefit, potentially paying less for the amount of LP minted.

Vulnerability Detail

OptionTokenV4::exerciseVe and OptionTokenV4::exerciseLp burn oFLOW from the caller and pulls payment token to add FLOW and payment token to the respective pair for LP tokens.

The amount of payment token to pull is calculated via the following:

OptionTokenV4.sol#L607

(uint256 paymentAmount,uint256 paymentAmountToAddLiquidity) =  getPaymentTokenAmountForExerciseLp(_amount,_discount);

OptionTokenV4.sol#L350-L356

    function getPaymentTokenAmountForExerciseLp(uint256 _amount,uint256 _discount) public view returns (uint256 paymentAmount, uint256 paymentAmountToAddLiquidity)
    {

        paymentAmount = _discount == 0 ? 0 : getLpDiscountedPrice(_amount, _discount);
@>      (uint256 underlyingReserve, uint256 paymentReserve) = IRouter(router).getReserves(underlyingToken, paymentToken, false);
        paymentAmountToAddLiquidity = (_amount * paymentReserve) / underlyingReserve;
    }

IRouter::getReserves returns the current reserves (spot price) of the underlying/payment pair. This can lead to price manipulation where a malicious user can manipulate the pair reserves for their benefit.

Impact

Price manipulation (i.e, via flash loan), users may be able to pay less for LP minted.

Code Snippet

https://github.com/sherlock-audit/2024-06-velocimeter/blob/main/v4-contracts/contracts/OptionTokenV4.sol#L607

https://github.com/sherlock-audit/2024-06-velocimeter/blob/main/v4-contracts/contracts/OptionTokenV4.sol#L350-L356

Tool used

Manual Review

Recommendation

Utilize TWAP instead of spot price.

nevillehuang commented 2 months ago

request poc

See coments here

sherlock-admin4 commented 2 months ago

PoC requested from @crypticdefense

Requests remaining: 15

crypticdefense commented 2 months ago

@nevillehuang commented on the main issue for simplicity

WangSecurity commented 2 months ago

Invalid based on the discussion under #199