Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

cergyk - Ichi vault LP oracle is vulnerable to price manipulation with flashloan #55

Closed
github-actions bot opened this issue Mar 1, 2023 · 0 comments
Closed

cergyk - Ichi vault LP oracle is vulnerable to price manipulation with flashloan #55

github-actions bot opened this issue Mar 1, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@github-actions
Copy link

github-actions bot commented Mar 1, 2023
edited
Loading

cergyk

high

Ichi vault LP oracle is vulnerable to price manipulation with flashloan

Summary

The protocol relies on an oracle to price Ichi Lp shares, unfortunately it is vulnerable to price manipulation using a flash-loan.

Vulnerability Detail

The function getTotalAmounts:
https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/oracle/IchiLpOracle.sol#L27

is defined as such in Ichi vaults:

/**
    @notice Calculates total quantity of token0 and token1 in both positions (and unused in the ICHIVault)
    @param total0 Quantity of token0 in both positions (and unused in the ICHIVault)
    @param total1 Quantity of token1 in both positions (and unused in the ICHIVault)
*/
function getTotalAmounts()
    public
    view
    override
    returns (uint256 total0, uint256 total1)
{
    (, uint256 base0, uint256 base1) = getBasePosition();
    (, uint256 limit0, uint256 limit1) = getLimitPosition();
    total0 = IERC20(token0).balanceOf(address(this)).add(base0).add(limit0);
    total1 = IERC20(token1).balanceOf(address(this)).add(base1).add(limit1);
}

where getBasePosition and getLimitPosition fetch available liquidity from UniswapV3 pools.
A big swap using a flash-loan can push the liquidity to one side only, meaning that a position will contain only token1 for example. If that is the most valuable token according to base oracles, the lp token itself will appear more valuable.
This will allow the attacker to drain the protocol, by borrowing against over valued collateral.

Impact

An attacker can drain the protocol by borrowing against overvalued collateral.

Code Snippet

Tool used

Manual Review

Recommendation

One can use the same logic as the IchiVault itself uses to protect against price manipulation on UniswapV3: using a twap oracle as reference and revert if the price has deviated too much in the same block:
https://etherscan.deth.net/address/0x683F081DBC729dbD34AbaC708Fa0B390d49F1c39#code

line 2621:

    if (delta > hysteresis) require(checkHysteresis(), "IV.deposit: try later");

Duplicate of #20
@github-actions github-actions bot added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue labels Mar 1, 2023
@github-actions github-actions bot closed this as completed Mar 1, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Mar 19, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin