ParaSpace contest - mahdikarimi's results

Lines of code

https://github.com/code-423n4/2022-11-paraspace/blob/c6820a279c64a299a783955749fdc977de8f0449/paraspace-core/contracts/misc/UniswapV3OracleWrapper.sol#L156-L181 https://github.com/code-423n4/2022-11-paraspace/blob/c6820a279c64a299a783955749fdc977de8f0449/paraspace-core/contracts/misc/UniswapV3OracleWrapper.sol#L96-L107 https://github.com/code-423n4/2022-11-paraspace/blob/c6820a279c64a299a783955749fdc977de8f0449/paraspace-core/contracts/misc/UniswapV3OracleWrapper.sol#L156-L181

Vulnerability details

Impact

getTokenPrice function in UniswapV3OracleWrapper gets affected by flash loan attack .

Proof of Concept

Scenario : Attacker takes a flash loan and mint a new uniswap position ( or increase liquidity ) before getTokenPrice being called because this function uses liquidity amount ( increased due flash loan ) as a price factor makes it calculate a large number as price then after price calculated Attacker will remove the flash loaned amount from position and repay the flash loan and happening all of this in one transaction cause tokenPrice successfully get affect by flash loan .

1 .Take Flash Loan 2. increase Liquidity 3. getTokenPrice ( or any logic that use this function like borrow ) 4. decrease Liquidity 5. Repay FlashLoan

Tools Used

Manual Review

Recommended Mitigation Steps

For solving this issue and protect against flash loan attacks you can transfer liquidity amount to a new position and assign that position to that user after transfer liquidity to a new position Attacker will not be able to remove flash loaned amount from position and repay flash loan so it will revert .

This solution requires keeps track of every position created this way for users , like a mapping of addresses to tokenIds .