-
Notifications
You must be signed in to change notification settings - Fork 8
KupiaSec - Price calculation can be manipulated by intentionally reverting some of price feeds. #127
Comments
BunniSupply
and AuraBalancerSupply
.
Invalid, if a user purposely revert price feeds, they are only affecting their own usage, not the usage of price feeds for other users transactions. |
Escalate Hey @nevillehuang - Yes, exactly you are right. What an attacker can manipulate is a spot price using flashloans, so if an attacker purposely disable other price feeds but only leave manipulated price feed, there happens a vulnerability that an attacker can buy tokens at affected price. |
You've created a valid escalation! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
@KupiaSecAdmin, All of your scenarios are invalid
This is on top of the fact that price submodules are not intended to be called directly, but via the primary price module mentioned in this comment here |
@nevillehuang - For example, you can manipulate spot price of Uniswap. To make this work, you need to make other price feeds revert because if they are all enabled, average/median price strategy will be taken and manipulated spot price will not take effect. |
@KupiaSecAdmin you cannot make other feeds revert for other user, only yourself, and your submission certainly doesn't prove that it is possible. Besides, to manipulate spot price in uniswap, you will have to manipulate the reserves, which is a known issue in the contest and out of scope. |
@nevillehuang - I would like to add some notes and scenarios below that I think might be attack vectors. [Notes]
[Scenario]
[Thoughts] [Claims] |
@KupiaSecAdmin Can you provide a coded PoC for your above scenario? I really don't see how step 5 can occur, given price feeds are utilized in separate transactions? How would one users price feed reverting affect another?
|
@nevillehuang @0xJem - Here's a PoC that shows how price can be manipulated. You can put this test file in same test directory with Running test: Result: [PASS] testPriceManipulation() (gas: 2299239)
Logs:
Before: Chainklink/Olympus 6294108760000000000 6308514491323687440
After: Chainklink/Olympus 6294108760000000000 29508079057029841191
Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 4.69s
Ran 1 test suites: 1 tests passed, 0 failed, 0 skipped (1 total tests) [Scenario]
[Focus]
|
@Oighty can you weigh in on the risk of a third-party deliberately triggering the re-entrancy lock in the UniV3 pool? To me, this represents a misconfiguration of the asset price feeds. If it was a single price feed (UniV3) only, it would be fine, as the price lookup would fail.
If we were to have UNI defined as an asset, we would be more likely to do this:
Given the difficulty of manipulation both sources, and the deep liquidity of the UniV3 pool ($31.65m), we'd be confident that it would be resilient enough. |
|
I think this is a really nice finding if true, kudos for the thought process @KupiaSecAdmin! Since price manipulation itself is out of scope, but the expectation of using multiple price sources should make the price more difficult to manipulate, and because of the bug, the breakdown value falls drastically. Thus I believe it deserves to be a valid Medium. I'm not sure about the point above, @0xJem could you explain why would such setup be a misconfiguration? From my understanding, any setup using any of these 3 oracles and any other one will be susceptible to manipulation. |
@Czar102 Some questions:
|
|
@nevillehuang I believe the assumption you are mentioning in point 1 is just an example and the different price feeds could be anything, like Uni v3 + Uni v3 – one could manipulate one of these and make the other revert, for example. Regarding point 2, I don't think the crux here is the manipulation of reserves, they may be just off with respect to each other. The point is that the attacker can selectively decide which sources of information to use, impacting the final price reading. The point of using multiple feeds is to make the price more reliable, and they are being made less reliable if you can make the readings be rejected. Regarding point 3, I believe you could repetitively make the price pass sanity checks, making it exponentially diverge from the real price. Regarding @0xJem's points: I believe simply not using a Uni v2 pool doesn't mitigate this. Using any of the dexes mentioned above together with any feed will have this impact. So, a Chainlink feed + Uni v3 pool could be exploited in a way that the Uni v3 reading will revert and only Chainlink feed will be used, which may benefit the attacker in a certain way. Has the approach for creating these safe setups been shared with Watsons anywhere? Am I misunderstanding something? @0xJem @nevillehuang @KupiaSecAdmin |
TLDR, unless the watson or YOU provide sufficient proof (best with a PoC) that it is economically possible/profitable, I’m not convinced this is a valid issue since you are just simply stating possibility. Please only consider the original submission only and see if it has sufficient information in place during the time when Im judging this. |
IMO In my opinion, while the precise impact of the potential attack isn't crystal clear, the mentioned attack path, extending up to price manipulation, significantly expands the attack surface. This broader surface introduces multiple avenues for potential attacks that may not be immediately apparent. I find @nevillehuang's comment lacking in persuasiveness, on how this issue should be considered as invalid after watson submitted the PoC. With a clear attack impact, Watson's submission should be rated as High severity. Watson's failure to articulate how the identified issue could result in a loss of funds for the protocol is crucial. But the issue highlights numerous ways the core functionality of the contract could be exploited, making it a valid medium-severity concern. |
@Hash01011122, stating the possibility of an issue and proving it are two separate things. Can you look at the details provided in the issue and tell me with at least 80% confidence rate that it is valid without additional research by the judge to prove its validity when its not the case? For example, the watson is simply stating "user can cause reentrancy" with a single one liner type comment without any code description/POC (there are multiple instances throughout the issue)? How am I suppose to verify that? I am a firm believer that burden of proof is on the watson not the judge, and I believe sherlock also enforces this stance. The fact that Head of judging and sponsor has to come in and supplement the non-obvious finding of the watson certainly doesn't help too, and I believe this will be resolved in the future now that we have the |
I understood the finding when I haven't read a half or it. I think the only thing that needs to be verified is that a revert in price reading will cause the price to be computed based on other sources. Selective manipulation of sources of information defeats the purpose of sourcing the data from many sources – instead of increasing security, the data will be pulled from potentially least safe sources. I think it warrants Medium severity. |
Result: |
Escalations have been resolved successfully! Escalation status:
|
KupiaSec
high
Price calculation can be manipulated by intentionally reverting some of price feeds.
Summary
Price calculation module iterates through available price feeds for the requested asset, gather prices of non-revert price feeds and then apply strategy on available prices to calculate final asset price.
By abusing this functionality, an attacker can let some price feeds revert to get advantage from any manipulated price feed.
Vulnerability Detail
Here we have some methods that attackers can abuse to intentionally revert price feeds.
UniswapV3Price.sol#L210-214
In UniswapV3 price feed, it reverts if current state is re-entered.
An attacker can intentionally revert this price feed by calling it from UniswapV3's callback methods.
BalancerPoolTokenPrice.sol#L388
BalancerPoolTokenPrice.sol#487
BalancerPoolTokenPrice.sol#599
BalancerPoolTokenPrice.sol#748
In BalancerPool price feed, it reverts if current state is re-entered.
An attacker can intentionally revert this price feed by calling it in the middle of Balancer action.
BunniPirce.sol#L155-160
In BunniToken price feed, it validates reserves and reverts if it doesn't satisfy deviation.
Since BunniToken uses UniswapV3, this can be intentionally reverted by calling it from UniswapV3's mint callback.
Usually for ERC20 token prices, above 3 price feeds are commonly used combined with Chainlink price feed, and optionally with
averageMovingPrice
.There are another two points to consider here:
OlympusPrice.v2.sol#L160
getMedianPriceIfDeviation
- SimplePriceFeedStrategy.sol#L246getMedianPrice
- SimplePriceFeedStrategy.sol#L313For
getAveragePrice
andgetAveragePriceIfDeviation
, it uses average price if it deviates.Based on the information above, here are potential attack vectors that attackers would try:
When
$\frac{(P + \Delta X) + (P)}{2} = P + \frac{\Delta X}{2}, P=Market Price, \Delta X=Manipulated Amount$
averageMovingPrice
is used and average price strategy is applied, the manipulation effect becomes half:Impact
Attackers can disable some of price feeds as they want with ease, they can get advantage of one manipulated price feed.
Code Snippet
https://github.com/sherlock-audit/2023-11-olympus/blob/9c8df76dc9820b4c6605d2e1e6d87dcfa9e50070/bophades/src/modules/PRICE/OlympusPrice.v2.sol#L132-L184
Tool used
Manual Review
Recommendation
For the cases above that price feeds being intentionally reverted, the price calculation itself also should revert without just ignoring it.
The text was updated successfully, but these errors were encountered: