Attacker can bypass the chainlink price verification at TradingLibrary> verifyPrice #45
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-377
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/b2ebb8ea1def4927a747e7a185174892506540ab/contracts/utils/TradingLibrary.sol#L95
Vulnerability details
Impact
The TradingLibrary> verifyPrice function verifies the given price with the node signature, however it reverts if the signed price is different than the chainLink price feed if the price slipped during "_priceData.timestamp + _validSignatureTimer", however this design can be bypassed as the priceFeed address is given by the user (address _chainlinkFeed) doing so an attacker can deploy a fake price feed and give it in the arg and give it's controlled price, this will make the attacker benefits from slippage ...etc
Proof of Concept
(Remix IDE), supposing the price is 400 however the price from the chainlink price feed is 900 (this will make 400 > 900-900*2/100 reverts)
With your wallet (as node) sign the hash with the valid priceData tuple (make the _validSignatureTimer high and the price is 400), supposing the current price of the asset is 900 but the signature is made for 400 as price, call the test function with the fake contract as _chainlinkFeed and the transaction will succeed
Tools Used
Manual
Recommended Mitigation Steps
Make a whitelisting to the _chainlinkFeed :
The text was updated successfully, but these errors were encountered: