Closed sherlock-admin3 closed 1 month ago
1 comment(s) were left on this issue during the judging contest.
merlinboii commented:
OOS. The function already introduce the slipage check for redeemInstant and the price data fee has the min/max acceptable range checks
admin
High
No Protection Against Flash Loan Attacks at redeemInstnt function for RedemptionVault contract
Summary
Line: https://github.com/sherlock-audit/2024-08-midas-minter-redeemer/blob/main/midas-contracts/contracts/RedemptionVault.sol#L124 The contract does not have explicit protections against flash loan attacks, which could allow an attacker to manipulate token prices or exploit the rate conversion logic within a single transaction.
Root Cause
Price manipulation
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
Attacker can manipulate token prices or exploit the rate conversion logic within a single transaction.
PoC
Deploy VulnerableContract with a normal price of 1 unit. Deploy FlashLoanAttacker with references to the flash loan provider, the vulnerable contract, and the token contract. Execute the executeFlashLoan function on the FlashLoanAttacker contract, which will: Borrow tokens via a flash loan. Manipulate the price in the vulnerable contract. Buy tokens at the manipulated price. Repay the flash loan. Profit from the price difference. Summary of the Attack Flow The attacker borrows tokens through a flash loan. The attacker inflates the price of the token in the VulnerableContract by manipulating the oracle. The attacker buys a large amount of tokens at the manipulated price. The attacker then resets the price to its original value. The attacker repays the flash loan and profits from the difference in token value.
Security Mitigations: The primary defense against such attacks involves using a reliable oracle that cannot be easily manipulated within a single transaction (e.g., time-weighted average price oracles). Practical Implementation: In a real-world scenario, this would require integration with existing flash loan providers like Aave, dYdX, or Uniswap, and using actual token contracts.
Mitigation
Security Mitigations: The primary defense against such attacks involves using a reliable oracle that cannot be easily manipulated within a single transaction (e.g., time-weighted average price oracles). Practical Implementation: In a real-world scenario, this would require integration with existing flash loan providers like Aave, dYdX, or Uniswap, and using actual token contracts.