Oracle price can be manipulated within a certain time period #49
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-108
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/TradingExtension.sol#L163-L188
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/utils/TradingLibrary.sol#L91-L122
Vulnerability details
Impact
The price and signature from an oracle is valid within a certain time period, determined by block timestamps. However, if multiple prices and signatures are released within this time period, the user can pick and choose which one to use, thus manipulating the price of positions.
Proof of Concept
TradingLibrary.verifyPrice
verifies the signature of the price:However, the signature is valid for
_validSignatureTimer
amount of time. Thus, if multiple signatures are released during a time period less than_validSignatureTimer
, either of them are valid. ThevalidSignatureTimer
value is set by the owner inTradingExtension.sol
. If this is too long, users are able to pick and choose what price to use.Tools Used
n/a
Recommended Mitigation Steps
Carefully set
validSignatureTimer
and ensure it's the exact duration between prices/signatures being released from the oracle.The text was updated successfully, but these errors were encountered: