sherlock-audit/2023-04-blueberry-judging

cducrest-brainbot - IchiVaultOracle getPrice will fail during price crashes

Closed this issue · 1 comments

sherlock-admin commented

cducrest-brainbot

high

IchiVaultOracle getPrice will fail during price crashes

Summary

The function to get the price of the IchiVault LP token will fail when TWAP and spot price differ too much. This will be the case when price of the LP token crashes.

The oracle will revert and positions using IchiVault LP token won't be able to be repaid / liquidated when price crashes, when this is needed the most.

Vulnerability Detail

The function getPrice() checks the spot and twap price of the LP token, it reverts when they differ too much:

    function getPrice(address token) external view override returns (uint256) {
        IICHIVault vault = IICHIVault(token);
        uint256 totalSupply = vault.totalSupply();
        if (totalSupply == 0) return 0;

        address token0 = vault.token0();
        address token1 = vault.token1();

        // Check price manipulations on Uni V3 pool by flashloan attack
        uint256 spotPrice = spotPrice0InToken1(vault);
        uint256 twapPrice = twapPrice0InToken1(vault);
        uint256 maxPriceDeviation = maxPriceDeviations[token0];
        if (!_isValidPrices(spotPrice, twapPrice, maxPriceDeviation))
            revert Errors.EXCEED_DEVIATION();

        // Total reserve / total supply
        (uint256 r0, uint256 r1) = vault.getTotalAmounts();
        uint256 px0 = base.getPrice(address(token0));
        uint256 px1 = base.getPrice(address(token1));
        uint256 t0Decimal = IERC20Metadata(token0).decimals();
        uint256 t1Decimal = IERC20Metadata(token1).decimals();

        uint256 totalReserve = (r0 * px0) /
            10 ** t0Decimal +
            (r1 * px1) /
            10 ** t1Decimal;

        return (totalReserve * 10 ** vault.decimals()) / totalSupply;
    }

Impact

The twap period can range from 1 hour to 2 days. If the twap period is long enough or the maxPriceDeviations small enough, the pricing oracle will revert when price crashes (or spikes) and prevent actions on positions using IchiVault LP tokens.

The liquidation / repayment will be impossible when most needed, during important changes of market prices.

As noted in the comment and understood from the code, the intent of this check is to prevent price manipulation of the LP token. If the maxPriceDeviations, the price oracle is vulnerable to price manipulation since it does not the fair LP token pricing method.

Code Snippet

https://github.com/sherlock-audit/2023-04-blueberry/blob/96eb1829571dc46e1a387985bd56989702c5e1dc/blueberry-core/contracts/oracle/IchiVaultOracle.sol#L110-L138

Tool used

Manual Review

Recommendation

Use the fair lp token pricing strategy instead of checking twap and spot price.

Gornutz commented

This is using the fair lp token pricing strategy for the ICHI-style vaults. This was a large discussion from the previous sherlock competition.