Oracle attacks
If an attacker got control of the price oracle, they could pass a low price to sharesPerPacket
during a call to submitProducer(…)
:
sharesPerPacket = IOracleDispatch(oracleDispatch[vaultAsset][pool.asset]).getValueOfAsset(vaultAsset, pool.asset, true);
The depressed price would drive up the number of packets of vault shares for interest claiming.
…
producerPacket = getAmountPaymentAsset(pool.rate * pool.packetSize/PRECISION, sharesPerPacket, vaultAsset, vaultAsset);
…
producerOrder = Order(uint112(amount/ producerPacket), sharesPerPacket, msg.sender.fillLast12Bytes());
They would get matched with a higher amount of underlying vault principal for the same dollar amount of pool asset deposited, allowing them to earn excessive interest. Similar to the points in the section on centralization risk, this attack vector is best managed by 1) using a multisig to set the price oracle address and 2) using a reliable price oracle such as ChainLink.