First Flight #21: KittyFi
First Flight #21
Beginner FriendlyDeFiFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Price Feed Manipulation

Shitzu

Summary

Price feed manipulation can have severe consequences in a DeFi protocol, especially one that relies on accurate price data for collateral calculations and liquidations. Here are some strategies to mitigate the risk of price feed manipulation.

Strategies to Mitigate Price Feed Manipulation:

  1. Use Trusted Oracles:

    • Chainlink: Use Chainlink oracles, which are decentralized and secure, to fetch price data.

    • Multiple Oracles: Aggregate data from multiple trusted oracles to reduce reliance on a single source.

  2. Data Aggregation:

    • Medianizer: Use a medianizer contract that aggregates prices from multiple sources and takes the median value to reduce the impact of outliers.

    • Time-Weighted Average Price (TWAP): Implement TWAP to smooth out short-term price volatility and manipulation attempts.

  3. Price Validation:

    • Sanity Checks: Implement sanity checks to ensure that the fetched price is within a reasonable range compared to historical data.

    • Circuit Breakers: Use circuit breakers to halt operations if the price deviates significantly from expected values.

  4. Decentralized Governance:

    • Community Oversight: Allow the community to vote on which oracles to use and how to handle price anomalies.

    • Emergency Interventions: Enable decentralized governance to intervene in case of suspected price manipulation.

Vulnerability Details

  1. Single Source Dependency:

    • Issue: Relying on a single price feed source makes the protocol vulnerable if that source is compromised or manipulated.

    • Impact: An attacker could manipulate the price data to artificially inflate or deflate the value of collateral, leading to incorrect collateral ratios and potential liquidations.

  2. Oracle Manipulation:

    • Issue: If the oracle providing the price data is compromised, the attacker can feed incorrect prices to the protocol.

    • Impact: This can result in users being liquidated unfairly or minting more stablecoins than they should be able to, leading to financial imbalances.

  3. Flash Loan Attacks:

    • Issue: Attackers can use flash loans to manipulate the price feed temporarily.

    • Impact: By creating large, short-term price movements, attackers can exploit the protocol's reliance on the price feed to trigger liquidations or arbitrage opportunities.

  4. Latency and Update Frequency:

    • Issue: If the price feed updates infrequently, there can be a significant lag between the actual market price and the reported price.

    • Impact: This lag can be exploited by attackers who can predict the update cycle and manipulate the market price just before the update, causing the protocol to act on outdated or incorrect price data.

  5. Sybil Attacks:

    • Issue: In decentralized oracle networks, attackers can create multiple identities to influence the price data.

    • Impact: By controlling a significant portion of the oracle network, attackers can manipulate the reported price to their advantage.

Impact

Example Attack Scenarios:

  1. Artificial Price Inflation:

    • Scenario: An attacker manipulates the price feed to artificially inflate the value of a collateral token.

    • Impact: The attacker can then mint more stablecoins than they should be able to, based on the inflated collateral value. Once the price feed corrects, the protocol may find itself under-collateralized, leading to potential insolvency.

  2. Flash Loan Exploit:

    • Scenario: An attacker uses a flash loan to temporarily manipulate the price of a token.

    • Impact: The manipulated price is fed into the protocol, causing liquidations or allowing the attacker to borrow more than they should. After the flash loan is repaid, the price returns to normal, but the damage to the protocol is already done.

  3. Unfair Liquidations:

    • Scenario: An attacker manipulates the price feed to artificially deflate the value of a collateral token.

    • Impact: Users who have collateralized their positions with this token may find their collateral value suddenly dropping below the required threshold, triggering liquidations. The attacker can then buy the liquidated collateral at a discount, profiting from the manipulation.

Tools Used

  • Audit Wizard

  • Read the code

Recommendations

  1. Use Multiple Oracles:

    • Aggregation: Aggregate data from multiple trusted oracles to reduce reliance on a single source.

    • Medianizer: Implement a medianizer contract that takes the median value of multiple price feeds, reducing the impact of outliers.

  2. Time-Weighted Average Price (TWAP):

    • Smoothing: Implement TWAP to smooth out short-term price volatility and manipulation attempts.

    • Historical Data: Use historical price data to calculate the average price over a specified time window.

  3. Sanity Checks and Circuit Breakers:

    • Sanity Checks: Implement sanity checks to ensure that the fetched price is within a reasonable range compared to historical data.

    • Circuit Breakers: Use circuit breakers to halt operations if the price deviates significantly from expected values.

  4. Decentralized Governance:

    • Community Oversight: Allow the community to vote on which oracles to use and how to handle price anomalies.

    • Emergency Interventions: Enable decentralized governance to intervene in case of suspected price manipulation.

Example Implementation:

Here’s an example of how to integrate Chainlink price feeds securely in a Solidity contract:

Import Chainlink Libraries:

import "@chainlink/contracts/src/v0.8/interfaces/AggregatorV3Interface.sol";

Define the Contract:

contract KittyPool {
using SafeERC20 for IERC20;
// Chainlink price feed interface
AggregatorV3Interface internal priceFeed;
// Constructor to initialize the price feed
constructor(address _priceFeed) {
priceFeed = AggregatorV3Interface(_priceFeed);
}
/**
* @notice Gets the latest price from the Chainlink price feed
* @return price The latest price
*/
function getLatestPrice() public view returns (int256 price) {
(
, // roundID
int256 price,
, // startedAt
, // updatedAt
// answeredInRound
) = priceFeed.latestRoundData();
return price;
}
/**
* @notice Checks if the fetched price is within a reasonable range
* @param price The fetched price
* @return isValid True if the price is valid, false otherwise
*/
function isValidPrice(int256 price) internal view returns (bool isValid) {
// Implement sanity checks or compare with historical data
// Example: Ensure price is within 10% of the previous price
int256 previousPrice = getPreviousPrice();
int256 lowerBound = previousPrice - (previousPrice / 10);
int256 upperBound = previousPrice + (previousPrice / 10);
return (price >= lowerBound && price <= upperBound);
}
/**
* @notice Gets the previous price from the Chainlink price feed
* @return price The previous price
*/
function getPreviousPrice() internal view returns (int256 price) {
(
, // roundID
int256 price,
, // startedAt
, // updatedAt
// answeredInRound
) = priceFeed.getRoundData(priceFeed.latestRound() - 1);
return price;
}
/**
* @notice Example function to use the validated price
*/
function exampleFunction() external {
int256 latestPrice = getLatestPrice();
require(isValidPrice(latestPrice), "Invalid price data");
// Use the validated price for collateral calculations or other logic
}
}

Explanation:

  1. Chainlink Price Feed Integration:

    • The contract initializes a Chainlink price feed in the constructor.

    • The getLatestPrice function fetches the latest price from the Chainlink oracle.

  2. Price Validation:

    • The isValidPrice function checks if the fetched price is within a reasonable range compared to the previous price.

    • The getPreviousPrice function fetches the previous price from the Chainlink oracle for comparison.

  3. Example Usage:

    • The exampleFunction demonstrates how to use the validated price for further logic, ensuring that only valid price data is used.

Benefits:

  • Security: Using Chainlink oracles and validating price data helps mitigate the risk of price manipulation, ensuring that collateral calculations and liquidations are based on accurate and reliable data.

  • Stability: Implementing sanity checks and price validation mechanisms ensures that the protocol remains stable even in the face of short-term price volatility or anomalies.

  • User Trust: By using trusted oracles and robust validation mechanisms, the protocol can build and maintain user trust, as users can be confident that their collateral and positions are managed securely.

Additional Enhancements:

To further enhance the security and reliability of the price feed mechanism, consider the following:

  1. Multiple Oracles:

    • Aggregate prices from multiple Chainlink oracles or other trusted sources to reduce reliance on a single data provider.

    • Use a medianizer contract to take the median value of multiple price feeds, reducing the impact of outliers.

  2. Time-Weighted Average Price (TWAP):

    • Implement a TWAP mechanism to smooth out short-term price fluctuations and reduce the impact of temporary price manipulation.

    • Calculate the average price over a specified time window to provide a more stable price reference.

  3. Circuit Breakers:

    • Implement circuit breakers that halt critical operations if the price deviates significantly from expected values.

    • This can prevent cascading liquidations or other adverse effects in case of sudden and extreme price movements.

Example of Multiple Oracles and Medianizer:

Import Additional Libraries:

import "@chainlink/contracts/src/v0.8/interfaces/AggregatorV3Interface.sol";
import "@openzeppelin/contracts/utils/math/SafeMath.sol";

Define the Contract:

contract KittyPool {
using SafeMath for uint256;
AggregatorV3Interface internal priceFeed1;
AggregatorV3Interface internal priceFeed2;
AggregatorV3Interface internal priceFeed3;
constructor(address _priceFeed1, address _priceFeed2, address _priceFeed3) {
priceFeed1 = AggregatorV3Interface(_priceFeed1);
priceFeed2 = AggregatorV3Interface(_priceFeed2);
priceFeed3 = AggregatorV3Interface(_priceFeed3);
}
/**
* @notice Gets the median price from multiple Chainlink price feeds
* @return medianPrice The median price
*/
function getMedianPrice() public view returns (int256 medianPrice) {
int256 price1 = getLatestPrice(priceFeed1);
int256 price2 = getLatestPrice(priceFeed2);
int256 price3 = getLatestPrice(priceFeed3);
int256[] memory prices = new int256[](3);
prices[0] = price1;
prices[1] = price2;
prices[2] = price3;
// Sort the prices array
for (uint256 j = i + 1; j < prices.length; j++) {
if (prices[i] > prices[j]) {
int256 temp = prices[i];
prices[i] = prices[j];
prices[j] = temp;
}
}
}
// Return the median price
return prices[1];
}
/**
* @notice Gets the latest price from a specific Chainlink price feed
* @param priceFeed The Chainlink price feed interface
* @return price The latest price
*/
function getLatestPrice(AggregatorV3Interface priceFeed) internal view returns (int256 price) {
(
, // roundID
int256 price,
, // startedAt
, // updatedAt
// answeredInRound
) = priceFeed.latestRoundData();
return price;
}
/**
* @notice Example function to use the validated median price
*/
function exampleFunction() external {
int256 medianPrice = getMedianPrice();
require(isValidPrice(medianPrice), "Invalid price data");
// Use the validated median price for collateral calculations or other logic
}
/**
* @notice Checks if the fetched price is within a reasonable range
* @param price The fetched price
* @return isValid True if the price is valid, false otherwise
*/
function isValidPrice(int256 price) internal view returns (bool isValid) {
// Implement sanity checks or compare with historical data
// Example: Ensure price is within 10% of the previous price
int256 previousPrice = getPreviousPrice();
int256 lowerBound = previousPrice - (previousPrice / 10);
int256 upperBound = previousPrice + (previousPrice / 10);
return (price >= lowerBound && price <= upperBound);
}
/**
* @notice Gets the previous price from the Chainlink price feed
* @return price The previous price
*/
function getPreviousPrice() internal view returns (int256 price) {
(
, // roundID
int256 price,
, // startedAt
, // updatedAt
// answeredInRound
) = priceFeed1.getRoundData(priceFeed1.latestRound() - 1);
return price;
}
}

Explanation:

  1. Multiple Oracles:

    • The contract initializes three Chainlink price feeds in the constructor.

    • The getLatestPrice function fetches the latest price from a specified Chainlink oracle.

  2. Medianizer:

    • The getMedianPrice function fetches prices from three different oracles and sorts them to find the median price.

    • Sorting is done using a simple bubble sort algorithm for demonstration purposes.

  3. Price Validation:

    • The isValidPrice function checks if the fetched price is within a reasonable range compared to the previous price.

    • The getPreviousPrice function fetches the previous price from one of the Chainlink oracles for comparison.

dExample Usage:

  • The exampleFunction demonstrates how to use the validated median price for further logic, ensuring that only valid price data is used.

Benefits:

  • Security: By using multiple Chainlink oracles and calculating the median price, the contract reduces the risk of relying on a single data source that could be manipulated.

  • Stability: Implementing sanity checks and using the median price helps to smooth out short-term price volatility and anomalies, providing more stable and reliable price data.

  • User Trust: Users can have greater confidence in the protocol's price data, knowing that it is derived from multiple trusted sources and validated for accuracy.

Additional Enhancements:

To further enhance the security and reliability of the price feed mechanism, consider implementing the following:

  1. Time-Weighted Average Price (TWAP):

    • Calculate the average price over a specified time window to provide a more stable price reference.

    • This can be done by storing historical prices and calculating the average over the desired period.

  2. Circuit Breakers:

    • Implement circuit breakers that halt critical operations if the price deviates significantly from expected values.

    • This can prevent cascading liquidations or other adverse effects in case of sudden and extreme price movements.

Updates

Lead Judging Commences

shikhar229169 Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.