Summary

A single liquidity pool should never be used as sole source of price market data. These liquidity pool can be flash loan funded and therefore token price can be skewed drastically which can be used in many DeFi attacks.

Details

An attacker can use a flash loan to manipulate a price of a token on a DEX. Once the price is temporarily manipulated with the flash loan funds, the attacker can then go to a protocol (that relies solely on the DEX pool for price info) and use manipulated funds to buy or sell assets at above or below market price.

Centralized, single source price oracles (e.g. a single Uniswap liquidity pool) should never be used.

Filename

src/protocol/OracleUpgradeable.sol

Permalinks

https://github.com/Cyfrin/2023-11-Thunder-Loan/blob/8539c83865eb0d6149e4d70f37a35d9e72ac7404/src/protocol/OracleUpgradeable.sol#L21C36-L21C36

Impact

Price of a token in a DEX can be manipulated via a flash loan and then any lending protocols that depend on that DEX pool for price info will be at risk of an attack.

Recommendations

Use a decentralized price oracle such as Chainlink.

Tools Used

• Manual Audit

• Foundry