15,000 USDC
View results
Submission Details
Severity: high

Price Volatility Vulnerability in liquidate Function

Summary

The DSCEngine contract is vulnerable to price volatility, allowing attackers to exploit sudden price spikes and trigger unintended user liquidations.

Vulnerability Details

The DSCEngine contract is susceptible to a vulnerability arising from its failure to account for extreme price volatility of collateral tokens provided by oracle price feeds. This vulnerability can lead to unexpected liquidations of user positions when the collateral value experiences sudden and significant spikes. Attackers monitoring price spikes can exploit this vulnerability to perform flash loan attacks, triggering liquidation attempts on vulnerable users.

Impact

The potential consequences of this vulnerability are significant:

Unintended Liquidations: Users could face liquidation even when their overall positions are fundamentally solvent due to temporary price spikes. This can result in loss of collateral and disruption of user positions.

Arbitrage Exploitation: Attackers can exploit the vulnerability to profit from the discounted acquisition of collateral tokens during the liquidation process, which can lead to arbitrage opportunities once prices stabilize.

User Confidence Erosion: Frequent unexpected liquidations could erode user trust in the platform, leading to decreased adoption and engagement.

Tools Used

Manual Review

Recommendations

  • Implement Price Range Security: Develop and integrate a mechanism that temporarily suspends liquidations during periods of extreme price volatility. This involves setting predefined price ranges within which liquidations will be disabled, thereby preventing liquidations triggered by transient price spikes.

  • Enhance Oracle Aggregation: Utilize multiple oracle sources for price feeds and implement an aggregation mechanism to reduce the impact of individual oracle inaccuracies or manipulation attempts.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.