First Flight #3: Thunder Loan
First Flight #3
Beginner FriendlyFoundryDeFiOracle
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Price Oracle + Flashloan manipulation to impact fee, exchange etc

aballok

Summary

It seems oracle for price used is based on swap pool can be manipulated by swapping in pool and this price manipulation can be amplified using Flashloan from this very same protocol

Vulnerability Details

function getPriceOfOnePoolTokenInWeth() external view returns (uint256);

Price in relation to WETH seems to be from Swap spool

function getPriceInWeth(address token) public view returns (uint256) {
address swapPoolOfToken = IPoolFactory(s_poolFactory).getPool(token);
return ITSwapPool(swapPoolOfToken).getPriceOfOnePoolTokenInWeth();
}

The price comes from the pool of the token

Swap pool related prices or oracle mechanisms can be manipulated by exchanging a large number of tokens to increase or decrease the exchange rate for tokens. Whats worse is attacker who deposits an underlying can amplify this by using the very Flashloan they take fromm this protocol to swap in the pool and increase the exchange rate so that they can redeem more

uint256 exchangeRate = assetToken.getExchangeRate(); // exchange rate in redemption based on price that can be manipulated

Impact

Pool related prices used in calculations for fee, exchange rate redemption etc can be manipulated to benefit attacker or disadvantage other users

Tools Used

Manual Analysis

Recommendations

Recommended to make use of Chainlink Oracles as opposed to swap Oracles

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

weak oracle

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.