Centralized pricing arbitrage
Description
As the protocol uses a combination of automated market maker (AMM) oracles and centralized prices provided in signatures, an arbitrage opportunity may exist that will result in the drainage of pools.
function borrow(...) public virtual returns (uint256 debt_shares) {
require(
checkSignature(authorizer, market, price, deadline, v, r, s),
"invalid.signature"
);
require(authorizer == _owner, "authorizer");
require(market == address(this), "market");
require(deadline >= block.timestamp, "expired");
// protect against price manipulation
require(validatePrice(price, amount), "invalid.price");
debt_shares = _debt.withdraw(amount, receiver, owner);
}
}
The signatures have a deadline of five minutes and can be constantly polled from off-chain components. A malicious user could continuously poll these signatures, waiting for the increase in price of those tokens, and exploit the price difference between the signed price five minutes ago and the current market price.
If the price goes up substantially relative to the price in the signature five minutes ago, there may be an edge case where a user can actually borrow more capital than the price of their collateral.
For markets that have high collateralization ratio, this can be especially risky because in addition to that, AMM oracles can be manipulated to a certain extent (limited by validatePrice
) in the protocol.
Impact
For some market configurations that have have a 90% collateralization rate and 95% liquidation rate, the delta allowed for the underlying AMM is ~5%. A malicious user constantly polling for signatures would have to wait for one instance of such a price movement in the market in order to execute such an arbitrage.
Recommendations
With the current architecture, such attacks will always be possible in case of drastic price movements in the five-minute period. However, the goal here is to make this unlikely, by reducing either maximum collateralization rates or reducing the deadline time period such that the required price movement is almost impossible in the time period.
Remediation
The Nukem team agreed with this finding and decided to lower collateralization rates in existing market configurations. The team plans to add additional mitigations in a future update.