Skip to content
This repository has been archived by the owner on Nov 26, 2023. It is now read-only.

shogoki - Rebalancing is suspectible to Flash Loan Attacks #481

Closed
sherlock-admin opened this issue May 23, 2023 · 0 comments
Closed

shogoki - Rebalancing is suspectible to Flash Loan Attacks #481

sherlock-admin opened this issue May 23, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented May 23, 2023
edited by github-actions bot
Loading

shogoki

high

Rebalancing is suspectible to Flash Loan Attacks

Summary

The Rebalancing function uses the internal getOwnValuation() function, which get´s the curren tprice from a UniswapV3 Pool. This is vunerable to FlashLoan Attacks as the price can be easily manipulated in either direction by an attacker.
As the rebalance function is also public and can be called by anyone, an attacker can force any behaviour of the function by manipulating the price into the desired direction.

Vulnerability Detail

In USSDRebalancer.sol:71-80 the getOwnValuation() function relies on the current price from the UniswapV3 pool by fetching the data from slot0(). This is not the intended way to use an Uniswapv3 Pool as a price oracle, because it is suspectible to Flash Loan Attacks.
This function is then used in the public accessible rebalance() function to determine if the USSD token is at Peg. If the Token depegged from DAI by more than the allowed threshold actions are taken to either buy or sell USSD token.
In conjunction with a Sandwich attack (because there is no slippage protection in the UniswapV3 call) this allows the attacker to drain almost all collateral funds.

An Attacker can do the following:

  • take flash loan and buy collateral tokens in respective pools
  • fake a depeg the USSD below 1 DAI, by manipulating the uniswapV3 Poolprice (using flashloan)
  • call rebalance to force the Rebalancer Contract to sell the Collateral tokens (in our pools) for a too high price and buy USSD
  • sell the bought collateral tokens for a higher price
  • payback flashloan

By this an attacker can take a massive profit by taking the value out of the USSD collateral pools.

Impact

Attackers can "steal" almost all collateral funds.

Code Snippet

https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/USSDRebalancer.sol#L71-L80

Tool used

Manual Review

Recommendation

Do not rely on the slot0 fetched price from the UniswapV3 pool.

Duplicate of #451
@github-actions github-actions bot closed this as completed Jun 5, 2023
@github-actions github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jun 5, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Jun 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin