search

sherlock-audit / 2024-08-woofi-solana-deployment-judging

2 stars 2 forks source link

S3v3ru5 - WooFi program ignores Pyth price feed confidence interval #42

Open sherlock-admin2 opened 1 month ago

sherlock-admin2 commented 1 month ago

S3v3ru5

Medium

WooFi program ignores Pyth price feed confidence interval

Summary

The Pyth price feed returns confidence interval along with the price. The actual price of an asset can be any value in between price +/- confidence.

The woofi program, while comparing the wooracle price against the Pyth price, completely ignores the confidence interval.

The Pyth price feed for BTC/USD faced an incident where the price returned has diverged from the actual price. The incident report notes the following:

Several Solana programs relying on Pyth prices were impacted by this incident. The impact was exacerbated due to some programs relying on the aggregate price feed without using the confidence, which allowed liquidations to occur even though the published price was highly uncertain.

The incident shows the importance of checking the confidence intervals for prices.

This could be problematic for the WooFi Solana as the Pyth price is essential to prevent any kind of price-manipulation attacks on WooFi.

The WooFi V2 Solidity has the same formulas as the WooFi Solana and the Sherlock audit report shows that pool can be drained in the absence of the Chainlink price feeds: Issue H-1 in the Sherlock WooFi audit

Note the proposed fix for H-1, i.e to update spread on posting new price, can be bypassed by doing swaps of small amounts while still impacting the price. It is more detailed in a different issue. The graph shows the price impact and when the spread is updated. x-axis is number of base tokens without decimals.

Root Cause

The get_price_impl function ignores the Pyth price confidence interval while computing the clo_price:

https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/get_price.rs#L52-L72

Internal pre-conditions

No response

External pre-conditions

  1. Pyth price feed faces an incident and returns incorrect prices.

Attack Path

  1. Pyth price feed for SOL faces an incident and the reported price deviates from the actual price with increased confidence intervals.
  2. Attacker takes advantage of the incident to drain the protocol similar to WooFi previous incident
    • Attacker repeatedly swaps SOL to USDC in smaller amounts to not trigger update to the spread while reducing the wooracle price for SOL-USDC. The swaps are done to ensuring the new price is low and is around the reported price from Pyth.
    • As shown in the Pyth incident report's graph, the price is reported across a range repeatedly. The attacker can perform the swaps when the pyth price is favorable and wooracle price is in the bounds.
    • Attacker sells USDC for SOL after manipulating price.

Attacker can steal the tokens using the attack.

Note the solana blocktime is in milliseconds, even the shortest time can be turned into a favorable outcome to the attacker.

Also because of presence of multiple instructions in transactions, the swaps with smaller amounts can be performed with minimal transaction costs.

reference: https://neodyme.io/en/blog/lending_disclosure/

Impact

The missing use of confidence interval might allow for price manipulation

PoC

No response

Mitigation

No response

toprince commented 1 month ago

Need further investigation here. same with https://github.com/sherlock-audit/2024-08-woofi-solana-deployment-judging/issues/21

S3v3ru5 commented 1 month ago

The judging comments states:

The price from Pyth is still compared to wo_price (price from WooFi). Any incorrect price in Pyth will be blocked by the check here: https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/get_price.rs#L78-L80

The wo_price is manipulatable even with the new formulas hence this is considered an issue. If the wo_price is not manipulatable then the external price feed such as chainlink or pyth are not that important and this does not cause any damage. The importance of the external price feed is apparent from the mentioned previous audit reports including sherlock report.

The pyth price feeds work as protection for the wo_price not the other way around. This issue shows that protection is not implemented correctly.