Bauer - The quotes from Curve may be subject to manipulation #44

sherlock-admin · 2023-04-30T15:58:26Z

Bauer

high

The quotes from Curve may be subject to manipulation

Summary

The get_virtual_price() function in Curve has a reentrancy risk, which can affect the price if the protocol fetches quotes from pools integrated with ETH on Curve.

Vulnerability Detail

The CurveOracle protocol calls the function get_virtual_price_from_lp_token() to obtain a quote from Curve. However, all pools integrated with ETH pose a read-only reentrancy risk. Please refer below link for detail.
https://chainsecurity.com/heartbreaks-curve-lp-oracles/

Impact

The read-only reentrancy operation manipulates the price.

Code Snippet

https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/oracle/CurveOracle.sol#L101

Tool used

Manual Review

Recommendation

Duplicate of #123

The text was updated successfully, but these errors were encountered:

github-actions bot closed this as completed May 3, 2023

github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels May 3, 2023

sherlock-admin added the Reward A payout will be made for this issue label May 20, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bauer - The quotes from Curve may be subject to manipulation #44

Bauer - The quotes from Curve may be subject to manipulation #44

sherlock-admin commented Apr 30, 2023 •

edited by github-actions bot

Loading

Bauer - The quotes from Curve may be subject to manipulation #44

Bauer - The quotes from Curve may be subject to manipulation #44

Comments

sherlock-admin commented Apr 30, 2023 • edited by github-actions bot Loading

The quotes from Curve may be subject to manipulation

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation

sherlock-admin commented Apr 30, 2023 •

edited by github-actions bot

Loading