search

sherlock-audit / 2024-08-cork-protocol-judging

1 stars 1 forks source link

nikhil840096 - `FlashSwapRouter:getCurrentPriceRatio()` is vulnerable to flashloan price manipulation. #30

Closed sherlock-admin4 closed 1 month ago

sherlock-admin4 commented 1 month ago

nikhil840096

Medium

FlashSwapRouter:getCurrentPriceRatio() is vulnerable to flashloan price manipulation.

Summary

The FlashSwapRouter:getCurrentPriceRatio() function fetches the price ratio of a token pair based on the amounts of tokens in Uniswap reserves. This ratio is highly susceptible to manipulation through flash loans.

Vulnerability Detail

The FlashSwapRouter:getCurrentPriceRatio function is responsible for returning the price ratio of a token pair from the uniswapPair by calculating the ratio of both tokens' reserves. It retrieves this price ratio by calling the DsFlashSwap:getPriceRatio function.

Within the DsFlashSwap:getPriceRatio function:

The redemption asset (RA) can be DAI, USDT, ETH, or any other token, and its reserves can be easily manipulated using flash loans. Consequently, a malicious user could artificially inflate or deflate the ratio, leading to the unintended minting of more tokens by manipulating the price ratio.

Impact

The vulnerability allows an attacker to manipulate the price ratio between tokens by temporarily altering the reserves with a flash loan, leading to incorrect pricing and potentially resulting in significant financial loss or the creation of excessive tokens.

Code Snippet

Tools Used

Recommendation

To mitigate this vulnerability, consider implementing a time-weighted average price (TWAP) for the token pair pricing or using a decentralized oracle that is resistant to manipulation by flash loans.

sherlock-admin4 commented 1 month ago

1 comment(s) were left on this issue during the judging contest.

tsvetanovv commented:

There is no real example or attack vector how getCurrentPriceRatio can be manipulated