You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
sherlock-admin opened this issue
Aug 30, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
Swell eth oracle can be maipulated by third party easily
Summary
Swell eth oracle can be maipulated by third party easily
Vulnerability Detail
function getPriceInEth(addresstoken) externalviewreturns (uint256price) {
// Prevents incorrect config at root level.if (token !=address(swEth)) revert Errors.InvalidToken(token);
// Returns in 1e18 precision.
price = swEth.swETHToETHRate()
This is how the protocol calculates price for swETH, the problem with this is that the function swETHToETHRate can be easily manipulated by a malicious third party, and in this case, the address that have the SwellLib.BOT role
Let us follow the call flow so we can see how a malicious user can manipulate the price of sweETH
since the value of swETHToETHRateFixed is reliant on the totalReserves, a malicious third party address that have the SwellLib.BOT role can update the swETH rate to whatever value they want
this falls into the external protocol integration risk that external admin should not have the power to manipulate the oracle price and rug the tokenmak user
In case of external protocol integrations, are the risks of external contracts pausing or executing an emergency withdrawal acceptable? If not, Watsons will submit issues related to these situations that can harm your protocol's functionality.
Pausing or emergency withdrawals are not acceptable for Tokemak.
Impact
Malicious thid party SwellLib.BOT role can manipulate the price of swellETH
sherlock-admin2
changed the title
Helpful Amber Llama - Swell eth oracle can be maipulated by third party easily
ctf_sec - Swell eth oracle can be maipulated by third party easily
Oct 3, 2023
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
ctf_sec
high
Swell eth oracle can be maipulated by third party easily
Summary
Swell eth oracle can be maipulated by third party easily
Vulnerability Detail
This is how the protocol calculates price for swETH, the problem with this is that the function
swETHToETHRate
can be easily manipulated by a malicious third party, and in this case, the address that have the SwellLib.BOT roleLet us follow the call flow so we can see how a malicious user can manipulate the price of sweETH
the logic above will call this function below
https://etherscan.io/address/0xdda46bf18eeb3e06e2f12975a3a184e40581a72f#code#F1#L148
This is called next
https://etherscan.io/address/0xdda46bf18eeb3e06e2f12975a3a184e40581a72f#code#F1#L365
the value
swETHToETHRateFixed
can easilly be manipulated by an attacker by taking advantage of reprice.when this function is called it updates the value of
swETHToETHRateFixed
in two placeshttps://etherscan.io/address/0xdda46bf18eeb3e06e2f12975a3a184e40581a72f#code#F1#L244
https://etherscan.io/address/0xdda46bf18eeb3e06e2f12975a3a184e40581a72f#code#F1#L339
swETHToETHRateFixed = updatedSwETHToETHRateFixed
since the value of
swETHToETHRateFixed
is reliant on the totalReserves, a malicious third party address that have the SwellLib.BOT role can update the swETH rate to whatever value they wantthis falls into the external protocol integration risk that external admin should not have the power to manipulate the oracle price and rug the tokenmak user
Impact
Malicious thid party SwellLib.BOT role can manipulate the price of
swellETH
Code Snippet
https://github.com/Tokemak/v2-core-audit-2023-07-14/blob/62445b8ee3365611534c96aef189642b721693bf/src/oracles/providers/SwEthEthOracle.sol#L26-L33
Tool used
Manual Review
Recommendation
do not use spot price
swETHToETHRate
to calculate price of sweETHDuplicate of #570
The text was updated successfully, but these errors were encountered: