DeFiLayer 1Layer 2
14,723 OP
View results
Submission Details
Severity: high
Invalid

Adversary can potentially manipulate the price for multiple consecutive block causing consecutive blocks price swings using flashloan

Summary

The problem is with the update_price function, which updates the price based on external data. If this data comes from a source that can be influenced by flash loans ( and it does comes from ethereum onchain), an attacker can change the price for a short time and trick the system into accepting a false value.
The system tries to limit sudden price changes using a smoothing method (_smoothed_price), but this only slows down manipulation—it doesn't stop it completely. If an attacker repeats the trick multiple times, they can gradually push the price up or down, making money unfairly.
Instead of making one big change, the attacker makes small price changes over several blocks to reach their target price.

def update_price(
_parameters: uint256[ALL_PARAM_CNT], _ts: uint256, _block_number: uint256
) -> uint256:
"""
@notice Update price using `_parameters`
@param _parameters Parameters of Yearn Vault to calculate scrvUSD price
@param _ts Timestamp at which these parameters are true
@param _block_number Block number of parameters to linearize updates
@return Absolute relative price change of final price with 10^18 precision
"""
access_control._check_role(PRICE_PARAMETERS_VERIFIER, msg.sender)
# Allowing same block updates for fixing bad blockhash provided (if possible)
assert self.last_block_number <= _block_number, "Outdated"
self.last_block_number = _block_number
self.last_prices = [self._price_v0(), self._price_v1(), self._price_v2()]
self.last_update = block.timestamp
ts: uint256 = self.price_params_ts
current_price: uint256 = self._raw_price(ts, ts)
self.price_params = PriceParams(
total_debt=_parameters[0],
total_idle=_parameters[1],
total_supply=_parameters[2],
full_profit_unlock_date=_parameters[3],
profit_unlocking_rate=_parameters[4],
last_profit_update=_parameters[5],
balance_of_self=_parameters[6],
)
self.price_params_ts = _ts
new_price: uint256 = self._raw_price(_ts, _ts)
log PriceUpdate(new_price, _ts, _block_number)
if new_price > current_price:
return (new_price - current_price) * 10**18 // current_price
return (current_price - new_price) * 10**18 // current_price

Vulnerability Details

Flash loans let an attacker borrow and return large amounts of money in one transaction, meaning they don’t need their own capital.
Even though there’s a limit on how much the price can change in one update, the attacker can perform multiple small updates to slowly force the price in their favor.If the update_price function depends on values like total_debt, total_idle, or balance_of_self, the attacker can temporarily control these values using flash loans.Each time they do this, they can trade at a manipulated price, making a profit step by step.

Key Takeaways:

  • ✅ The system prevents sudden price jumps, but small changes over time are still a problem.

  • ✅ Flash loans let attackers do this repeatedly without needing their own money.

  • ✅ A better price-checking system, like TWAP (Time-Weighted Average Price) or using multiple data sources, can help stop this attack.

Here is how the attcks can be performed . Please note that it is difficult to write any PoC for this codebase because i couldn't even install the project without errors and couldn't run any test and the time span is very short

  • 1️⃣ The attacker takes a large flash loan in scrvUSD or another related asset.

  • 2️⃣ They move liquidity to change key values like total_debt, total_idle, or total_supply, which affects the price.

  • 3️⃣ They trigger update_price, forcing the system to accept a fake high or low price.

  • 4️⃣ The price doesn’t reset immediately due to the smoothing system, so it stays manipulated.

  • 5️⃣ The attacker repays the flash loan and profits from the manipulated price.

  • 6️⃣ They repeat the process multiple times to slowly shift the price where they want it.

Impact

Market manipulation: Attackers can slowly push prices up or down.
Unfair profits: They buy low and sell high by forcing price changes in their favor.
Losses for honest users: Regular users may end up buying at an unfairly high price or selling too low.

Tools Used

Manual review

Recommendations

  • Use TWAP (Time-Weighted Average Price): This makes it harder to manipulate prices in one block.

  • Check multiple data sources: Instead of relying on one source, compare data from different places.

  • Limit rapid updates: Prevent users from updating the price too many times in a short period.

Updates

Lead Judging Commences

0xnevi Lead Judge
5 months ago
0xnevi Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.