Attacker can force the use of chainlinks instead of TWAP oracles #72
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
grade-b
insufficient quality report
This report is not of sufficient quality
primary issue
Highest quality submission among a set of duplicates
Q-16
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
🤖_54_group
AI based duplicate group recommendation
Lines of code
https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/libraries/LibOracle.sol#L102-L106
Vulnerability details
Impact
When the price of a token changes significantly, if the TWAP is intentionally not used, an attacker can benefit from the price difference.
Proof of Concept
In
LibOracle.baseOracleCircuitBreaker
, if the cached price and the newly retrieved price from Chainlink are significantly different, the UniswapV3 TWAP oracle is used. If the WETH balance in the Uniswap pool is less than 100 ether, the TWAP is not used, and the price from Chainlink is used instead.Attackers can manipulate the balance of the Uniswap pool using Uniswap's flashswap feature. In other words, attackers can intentionally disable TWAP.
The Chainlink oracle updates slower than DEX. When the price of a token changes significantly, if the TWAP is intentionally not used, an attacker can benefit from the price difference.
Tools Used
Manual Review
Recommended Mitigation Steps
Check UniswapV3 flashswap in this way.
Assessed type
Oracle
The text was updated successfully, but these errors were encountered: