carrotsmuggler - Price calculation susceptible to flashloan exploits
Opened this issue · 0 comments
carrotsmuggler
high
Price calculation susceptible to flashloan exploits
Summary
Contract uses uniswap slot0 price instead of TWAP price. slot0 price can be manipulated with flash loans.
Vulnerability Detail
The contract uses the uniswap DAI-USSD pool to get the price of USSD. It however uses the instantaneous price from slot0 instead of the TWAP price. The slot0 price is calculated from the ratios of the assets. This ratio can however be manipulated by buying/selling assets in the pool.
Thus any user can take a flashloan, use those funds to manipulate the price of USSD, and then trigger a rebalance. The attacks can be made profitable by providing just-in-time liquidity to the various pools that reabalance interacts with, draining the contract of collateral through arbitrage.
Impact
Price can be manipulated and rebalance can be called any time. Susceptible to flash loan exploits.
Code Snippet
Tool used
Manual Review
Recommendation
Use TWAP price instead of slot0 price. Here is an example implementation of TWAP.