Skip to content
This repository has been archived by the owner on Jan 7, 2025. It is now read-only.

Anubis - Vulnerability in External Contract Calls #36

Closed
sherlock-admin2 opened this issue Feb 4, 2024 · 2 comments
Closed

Anubis - Vulnerability in External Contract Calls #36

sherlock-admin2 opened this issue Feb 4, 2024 · 2 comments
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout Sponsor Disputed The sponsor disputed this issue's validity Won't Fix The sponsor confirmed this issue will not be fixed

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Feb 4, 2024
edited
Loading

Anubis

high

Vulnerability in External Contract Calls

Summary

The DelayedOrder contract is vulnerable due to insufficient validation of external price data in the executeOrder function, potentially allowing market manipulation.
##Vulnerability Detail
Consider a function in DelayedOrder that relies on price data from an external oracle or contract. If this external source is compromised or manipulates the data, it could lead to incorrect transaction executions within DelayedOrder.

Impact

1. Attacker's Manipulated Data:
-Attacker provides a manipulated price of an asset: Reported as $80, but the true market price is $100.
2. Execution of Trades:
-Attacker buys 100 units of the asset at the manipulated price of $80, spending $8,000 (100 units * $80).
3. Price Correction and Attacker's Sale:
-When the price corrects to its true value of $100, the attacker sells these 100 units, receiving $10,000 (100 units * $100).
4. Profit Realization:
-Attacker's profit: $10,000 (sale) - $8,000 (purchase) = $2,000.
5. Impact on Other Users:
-Other users, who sold at the manipulated price, incur a loss of $20 per unit (True price $100 - Manipulated price $80).

Code Snippet

https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/DelayedOrder.sol#L378-L387

Tool used

Manual Review

Recommendation

Enhanced Data Validation:
Implement stringent validation of external price data to prevent exploitation.

function validateExternalData(bytes[] calldata priceUpdateData) internal view {
    // Logic for validating external data
}

function executeOrder(
    address account,
    bytes[] calldata priceUpdateData
) external payable nonReentrant whenNotPaused {
    validateExternalData(priceUpdateData);  // Implementing robust validation
    // ...
}

This fix aims to prevent market manipulation by ensuring the integrity and reliability of the price data used in order executions.
@sherlock-admin2 sherlock-admin2 added Sponsor Disputed The sponsor disputed this issue's validity Won't Fix The sponsor confirmed this issue will not be fixed labels Feb 8, 2024
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Feb 11, 2024
@sherlock-admin
Copy link
Contributor

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

@sherlock-admin2 sherlock-admin2 changed the title Restless Indigo Manatee - Vulnerability in External Contract Calls Anubis - Vulnerability in External Contract Calls Feb 20, 2024
@sherlock-admin2 sherlock-admin2 added the Non-Reward This issue will not receive a payout label Feb 20, 2024
@nevillehuang
Copy link
Collaborator

Seemingly duplicate of #188 but Invalid, checks for valid pyth price to update trusted to be done by out of scope contracts as seen here

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout Sponsor Disputed The sponsor disputed this issue's validity Won't Fix The sponsor confirmed this issue will not be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nevillehuang @sherlock-admin @sherlock-admin2