Platform: Code4rena
Start Date: 08/06/2022
Pot Size: $115,000 USDC
Total HM: 26
Participants: 72
Period: 11 days
Judge: leastwood
Total Solo HM: 14
Id: 132
League: ETH
Rank: 49/72
Findings: 1
Award: $195.02
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: BowTiedWardens
Also found by: 0x1f8b, 0x29A, 0x52, 0xNazgul, 0xNineDec, 0xf15ers, 0xkatana, 0xmint, Chom, ElKu, Funen, IllIllI, JMukesh, Jujic, Kaiziron, Lambda, MiloTruck, Ruhum, SmartSek, SooYa, TerrierLover, TomJ, WatchPug, Waze, _Adam, asutorufos, auditor0517, bardamu, c3phas, catchup, cccz, ch13fd357r0y3r, cloudjunky, cmichel, cryptphi, csanuragjain, defsec, fatherOfBlocks, hansfriese, hyh, jayjonah8, joestakey, k, kenta, obtarian, oyc_109, robee, sach1r0, shenwilly, simon135, slywaters, sorrynotsorry, tintin, unforgiven, xiaoming90, zzzitron
195.0221 USDC - $195.02
The ConnextPriceOracle.getPriceFromDex function divides the balances of the two token pairs to compute the price.
There are several issues with it:
reserve data. For many Uniswap-like AMMs, the balance can be manipulated by sending tokens directly to the contract, and then reclaimed later through a skim. The reserve should be used instead.getPriceFromDex computes the token price as baseBalance denominated in token / tokenBalance. As the baseBalance is increased, the tokenPrice is increased as well.skim on the pool to get back their balance.The price from DEX function is not suited for any on-chain queries.
For off-chain queries it can also be manipulated as it uses balance instead of reserves - which can be claimed back at a future block although this comes with risk.
#0 - 0xleastwood
2022-08-14T00:19:51Z
This contract is not being actively used in the codebase. I'm downgrading this to QA because it may be integrated in the future.