Able Gingham Manatee - Pair price may be manipulated by direct transfers to attack 3rd party protocols that may integrate with velocimeter in the future #713
Pair price may be manipulated by direct transfers to attack 3rd party protocols that may integrate with velocimeter in the future
Summary
Price of pair depends on the balance of tokens available in the pair.sol contract. And third-party projects/protocols that will integrate with velocimeter may depend on Pair.prices(), Pair.currentCumulativePrices(), Pair.current(), Pair.quote() for their price readings but they are very manipulatable.
Vulnerability Detail
Since the Pair contract exposes the price functions, it maybe be used as a price oracle in third-party integrations. Manipulating the price of a pair may allow an attacker to steal funds from such integrations.
The pair.sol contract captures oracle readings every 30 minutes
if (timeElapsed > periodSize) {
observations.push(Observation(blockTimestamp, reserve0CumulativeLast, reserve1CumulativeLast));
}
An attacker can aim for the 30 mins time interval when twap readings will be captured and he will use FLASHLOANS to manipulate/ inflate the Pair prices this will aid him to successfully attack the third-party projects that integrate with velocimeter and depend on Pair prices for their price readings.
Impact
Manipulating the price of a pair may allow an attacker to steal funds from third-party integrations that depend on Pair.prices(), Pair.currentCumulativePrices(), Pair.current(), Pair.quote() for their price readings.
Having these functions will do harm to 3rd party projects that will be integrating with velocimeter in future as their readings are very manipulatable.
Able Gingham Manatee
Low/Info
Pair price may be manipulated by direct transfers to attack 3rd party protocols that may integrate with velocimeter in the future
Summary
Price of pair depends on the balance of tokens available in the pair.sol contract. And third-party projects/protocols that will integrate with velocimeter may depend on
Pair.prices(),Pair.currentCumulativePrices(),Pair.current(),Pair.quote()for their price readings but they are very manipulatable.Vulnerability Detail
Since the Pair contract exposes the price functions, it maybe be used as a price oracle in third-party integrations. Manipulating the price of a pair may allow an attacker to steal funds from such integrations.
The pair.sol contract captures oracle readings every 30 minutes
An attacker can aim for the 30 mins time interval when twap readings will be captured and he will use FLASHLOANS to manipulate/ inflate the Pair prices this will aid him to successfully attack the third-party projects that integrate with velocimeter and depend on
Pair pricesfor their price readings.Impact
Manipulating the price of a pair may allow an attacker to steal funds from third-party integrations that depend on
Pair.prices(),Pair.currentCumulativePrices(),Pair.current(),Pair.quote()for their price readings.Code Snippet
https://github.com/sherlock-audit/2024-06-velocimeter/blob/main/v4-contracts/contracts/Pair.sol#L222
https://github.com/sherlock-audit/2024-06-velocimeter/blob/main/v4-contracts/contracts/Pair.sol#L182
https://github.com/sherlock-audit/2024-06-velocimeter/blob/main/v4-contracts/contracts/Pair.sol#L198
https://github.com/sherlock-audit/2024-06-velocimeter/blob/main/v4-contracts/contracts/Pair.sol#L212
Tool used
Manual Review
Recommendation
checking the original uniswapV2Pair.sol contract there are no functions like
Pair.prices(),Pair.currentCumulativePrices(),Pair.current(),Pair.quote()please remove these. https://github.com/Uniswap/v2-core/blob/ee547b17853e71ed4e0101ccfd52e70d5acded58/contracts/UniswapV2Pair.solHaving these functions will do harm to 3rd party projects that will be integrating with velocimeter in future as their readings are very manipulatable.