ctf_sec - Swell eth oracle can be maipulated by third party easily

[sherlock-admin]

ctf_sec

high

Swell eth oracle can be maipulated by third party easily

Summary

Swell eth oracle can be maipulated by third party easily

Vulnerability Detail

    function getPriceInEth(address token) external view returns (uint256 price) {
        // Prevents incorrect config at root level.
        if (token != address(swEth)) revert Errors.InvalidToken(token);

        // Returns in 1e18 precision.
        price = swEth.swETHToETHRate()

This is how the protocol calculates price for swETH, the problem with this is that the function swETHToETHRate can be easily manipulated by a malicious third party, and in this case, the address that have the SwellLib.BOT role

Let us follow the call flow so we can see how a malicious user can manipulate the price of sweETH

the logic above will call this function below
https://etherscan.io/address/0xdda46bf18eeb3e06e2f12975a3a184e40581a72f#code#F1#L148

 function swETHToETHRate() external view override returns (uint256) {
    return _swETHToETHRate().unwrap();

This is called next
https://etherscan.io/address/0xdda46bf18eeb3e06e2f12975a3a184e40581a72f#code#F1#L365

  function _swETHToETHRate() internal view returns (UD60x18) {
    if (swETHToETHRateFixed == 0) {
      return wrap(1 ether);
    }

the value swETHToETHRateFixed can easilly be manipulated by an attacker by taking advantage of reprice.

  function reprice(
    uint256 _preRewardETHReserves,
    uint256 _newETHRewards,
    uint256 _swETHTotalSupply
  ) external override checkRole(SwellLib.BOT) {

when this function is called it updates the value of swETHToETHRateFixed in two places

https://etherscan.io/address/0xdda46bf18eeb3e06e2f12975a3a184e40581a72f#code#F1#L244

 uint256 updatedSwETHToETHRateFixed = wrap(totalReserves)

https://etherscan.io/address/0xdda46bf18eeb3e06e2f12975a3a184e40581a72f#code#F1#L339

    swETHToETHRateFixed = updatedSwETHToETHRateFixed

since the value of swETHToETHRateFixed is reliant on the totalReserves, a malicious third party address that have the SwellLib.BOT role can update the swETH rate to whatever value they want

this falls into the external protocol integration risk that external admin should not have the power to manipulate the oracle price and rug the tokenmak user

In case of external protocol integrations, are the risks of external contracts pausing or executing an emergency withdrawal acceptable? If not, Watsons will submit issues related to these situations that can harm your protocol's functionality.

Pausing or emergency withdrawals are not acceptable for Tokemak.

Impact

Malicious thid party SwellLib.BOT role can manipulate the price of swellETH

Code Snippet

https://github.com/Tokemak/v2-core-audit-2023-07-14/blob/62445b8ee3365611534c96aef189642b721693bf/src/oracles/providers/SwEthEthOracle.sol#L26-L33

Tool used

Manual Review

Recommendation

do not use spot price swETHToETHRate to calculate price of sweETH

Duplicate of #570