The MultiFlowPump contract employs a cap mechanism controlled by LOG_MAX_INCREASE and LOG_MAX_DECREASE parameters to limit the rate of reserve value changes per block. However, an attacker could potentially exploit this mechanism by making small, calculated changes to the reserves that stay within these limits, allowing for incremental manipulation over time.
The vulnerability arises from the cap logic's design to prevent extreme fluctuations in reserves or prices by limiting the maximum percentage increase or decrease in a single block. However, if the cap limits are set to allow small changes, an attacker could exploit this by making trades that move the price just within the cap limits, thereby avoiding triggering any cap logic that would prevent the update.
Cap Mechanism
The cap mechanism works by calculating the cap limits based on the time elapsed since the last update. The cap limits are adjusted to ensure that the price changes are not too extreme, which could be indicative of manipulation. The cap limits are set using parameters such as LOG_MAX_INCREASE and LOG_MAX_DECREASE, which represent the maximum percentage increase or decrease allowed in a single block.
Exploitation
An attacker could exploit this vulnerability by making small, gradual changes to the price or reserve values, each within the cap limits. Over time, these small changes could accumulate and significantly affect the recorded prices or reserves, potentially leading to inaccurate or misleading information.
If successfully executed, this strategy could lead to manipulated Exponential Moving Average (EMA) and Cumulative Geometric Simple Moving Average (SMA) values, affecting any dependent price oracles or financial instruments. This could result in distorted market behavior, unfair advantages, and potential financial losses for other market participants.
manual review
Introduce a minimum time interval between updates or allow only one update per block to prevent rapid manipulation
Consider adding a governance mechanism to adjust LOG_MAX_INCREASE and LOG_MAX_DECREASE dynamically in response to changing market conditions.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.