Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Resonate>Discussion>Oracle attacks
GeneralOverview
Findings
Critical (2)
Medium (1)
Low (2)
Informational (2)
DiscussionOracle attacksReentrancyCode maturityComposablity
Audit ResultsAudit Results

Oracle attacks

If an attacker got control of the price oracle, they could pass a low price to sharesPerPacket during a call to submitProducer(…):

sharesPerPacket = IOracleDispatch(oracleDispatch[vaultAsset][pool.asset]).getValueOfAsset(vaultAsset, pool.asset, true);

The depressed price would drive up the number of packets of vault shares for interest claiming.


producerPacket = getAmountPaymentAsset(pool.rate * pool.packetSize/PRECISION, sharesPerPacket, vaultAsset, vaultAsset);

producerOrder = Order(uint112(amount/ producerPacket), sharesPerPacket, msg.sender.fillLast12Bytes());

They would get matched with a higher amount of underlying vault principal for the same dollar amount of pool asset deposited, allowing them to earn excessive interest. Similar to the points in the section on centralization risk, this attack vector is best managed by 1) using a multisig to set the price oracle address and 2) using a reliable price oracle such as ChainLink.

Revest acknowledges this risk. They emphasize that oracle systems require adminisitrative controls and indicate the use of multisigs and timelocks as eventual control measures.

Zellic © 2024Back to top ↑