Submission Details
Severity:
[H-1] Malicious Keeper Oracle Manipulation via Unvalidated Price Data at `StabilityBranch`
Summary
The StabilityBranch::fulfillSwap function accepts arbitrary priceData from keepers without validating price freshness or source, enabling theft of vault assets.
Vulnerability Details
Affected Code:
// StabilityBranch.sol
ctx.priceX18 = stabilityConfiguration.verifyOffchainPrice(priceData); // No timestamp check
Exploit Scenario:
-
Keeper submits a stale high price for a collateral asset.
-
getAmountOfAssetOutcalculates inflated asset amounts. -
Keeper steals excess assets from the vault.
// Attacker uses 1-hour-old price report when asset dropped 20%
vm.warp(block.timestamp + 3600);
bytes memory stalePriceData = getPriceReport(1000e18); // Old $1000 price
fulfillSwap(user, requestId, stalePriceData); // Asset now worth $800
Impact
Direct Fund Loss: 20-100% of vault assets.
Severity: Critical (CVSS 9.1).
Tools Used
Foundry fork testing with manipulated oracles.
Recommendations
// Add price freshness and sanity checks
function verifyOffchainPrice(bytes calldata data) internal view returns (UD60x18) {
require(price.timestamp >= block.timestamp - 60, "Stale price");
require(price.value > 0 && price.value < MAX_SANE_VALUE, "Invalid price");
}
Prize pool breakdown
Total prize
70,000 USDC
nSLOC
3,25821 USDC / LOC
66,500
3,500
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.