QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

Oracle Manipulation

mibrobuba

Summary

The MultiHopOracle contract relies on external oracles for pricing data. If any of these oracles is compromised, malicious actors could manipulate the data returned by the oracle to produce incorrect results. Since the contract uses a sequential calculation method based on HopConfig, even a single manipulated oracle in the chain could significantly distort the final output.

Vulnerability Details

function _getData() internal view override returns (int216 data, uint40 timestamp) {

HopConfig memory firstOracle = oracles[0];

(data, timestamp) = firstOracle.oracle.getData();

if (firstOracle.invert) {

data = 10 ** 36 / data; // 10^36 (i.e., 1 with 18 decimals * 10^18) to get the inverse with 18 decimals.

// 10**36 is automatically precomputed by the compiler, no explicit caching needed

}

uint256 oracleLength = oracles.length;

for (uint i = 1; i < oracleLength; ) {

HopConfig memory oracleConfig = oracles[i];

(int216 oracleRes, uint40 oracleTimestamp) = oracleConfig.oracle.getData();

if (oracleTimestamp < timestamp) {

timestamp = oracleTimestamp; // Return minimum timestamp

}

// depends which way the oracle conversion is happening

if (oracleConfig.invert) {

data = (data * 10 ** 18) / oracleRes;

} else {

data = (data * oracleRes) / 10 ** 18;

}

unchecked {

++i;

}

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/MultiHopOracle.sol#L28-L55

Impact

Manipulated prices could lead to incorrect trades, unfair arbitrage opportunities, or systemic losses in dependent systems.
Invalid oracle data could cause calculations to revert or return unusable results, disrupting contract functionality.
Users may lose trust in the contract if it consistently produces incorrect results due to oracle manipulation.
Manipulated data combined with inversion (10 ** 36 / data) could amplify inaccuracies or distort results further.

Tools Used

Manual Code Review

Recommendations

Instead of directly chaining oracle data, use decentralized oracle networks (e.g., Chainlink) that aggregate data from multiple independent sources.
Reject suspicious or extreme oracle data using pre-defined thresholds or outlier detection.
Instead of relying on sequential calculations, aggregate data from multiple oracles (e.g., using the median or weighted average) to minimize the impact of any single manipulated oracle.
Reject oracle values that fall outside a predefined acceptable range, which could help ignore manipulated or extreme values.

function _getData() internal view override returns (int216 data, uint40 timestamp) {

uint256 oracleLength = oracles.length;

require(oracleLength > 0, "No oracles configured");

int216[] memory results = new int216[]();

uint40[] memory timestamps = new uint40[]();

for (uint i = 0; i < oracleLength; ) {

HopConfig memory oracleConfig = oracles[i];

(int216 oracleRes, uint40 oracleTimestamp) = oracleConfig.oracle.getData();

require(oracleRes > 0, "Oracle returned invalid data");

if (oracleConfig.invert) {

oracleRes = int216((10 ** 36) / uint216(oracleRes)); // Safely invert

}

results[i] = oracleRes;

timestamps[i] = oracleTimestamp;

unchecked {

++i;

}

// Calculate the median price and use the minimum timestamp

data = _calculateMedian(results);

timestamp = _findMinimumTimestamp(timestamps);

}

function _calculateMedian(int216[] memory values) internal pure returns (int216) {

uint256 n = values.length;

require(n > 0, "No values to calculate median");

for (uint i = 0; i < n - 1; i++) {

for (uint j = i + 1; j < n; j++) {

if (values[i] > values[j]) {

(values[i], values[j]) = (values[j], values[i]);

}

return values[n / 2]; // Median

}

function _findMinimumTimestamp(uint40[] memory timestamps) internal pure returns (uint40) {

uint40 minTimestamp = timestamps[0];

for (uint i = 1; i < timestamps.length; ++i) {

if (timestamps[i] < minTimestamp) {

minTimestamp = timestamps[i];

}

return minTimestamp;

}

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!