This repository has been archived by the owner on Nov 5, 2023. It is now read-only.
helpMePlease - Potential flash loan attack vulnerability in getPrice function of CurveOracle
#123
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
Comments
github-actions
bot
added
High
Gornutz
added
Sponsor Confirmed
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
helpMePlease
high
Potential flash loan attack vulnerability in
getPricefunction of CurveOracleSummary
During a security review of the
getPricefunction in the CurveOracle, a potential flash loan attack vulnerability was identified.Vulnerability Detail
The
getPricefunction retrieves the spot price of each token in a Curve LP pool, calculates the minimum price among them, and multiplies it by the virtual price of the LP token to determine the USD value of the LP token. If the price of one or more tokens in the pool is manipulated, this can cause the minimum price calculation to be skewed, leading to an incorrect USD value for the LP token. This can be exploited by attackers to make a profit at the expense of other users.Impact
This vulnerability could potentially allow attackers to manipulate the price of tokens in Curve LP pools and profit at the expense of other users. If exploited, this vulnerability could result in significant financial losses for affected users.
Code Snippet
https://github.com/sherlock-audit/2023-04-blueberry/blob/96eb1829571dc46e1a387985bd56989702c5e1dc/blueberry-core/contracts/oracle/CurveOracle.sol#L122
Tool used
Manual Review
Recommendation
use TWAP to determine the prices of the underlying assets in the pool.
The text was updated successfully, but these errors were encountered: