FV-SOL-10 Oracle Manipulation

TLDR

Tampering with the mechanisms that provide asset price data to smart contracts

Code

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

interface Oracle {
    function getCurrentOraclePrice() external view returns (uint256);
}

contract VulnerableCompound {
    Oracle public oracle;
    uint256 public oraclePrice;

    constructor(address _oracle) {
        oracle = Oracle(_oracle);
        oraclePrice = 1e18;
    }

    function getPricingImportant() public {
        // Vulnerable reliance on the oracle
        oraclePrice = oracle.getCurrentOraclePrice(); // Assumes truthfull results
    }
}

Classifications

FV-SOL-10-C1 Incorrect Compounding Mechanism

FV-SOL-10-C2 Price Drift

FV-SOL-10-C3 Manipulation Through External Markets

FV-SOL-10-C4 Time Lags

Mitigation Patterns

Multi-Sourced Oracles (FV-SOL-10-M1)

Use multiple oracle data sources to calculate an aggregated price

Actual Occurrences

https://solodit.cyfrin.io/issues/h-01-oracle-price-does-not-compound-code4rena-volt-protocol-volt-protocol-contest-git

Content

PreviousFV-SOL-9-C5 Nested Loops NextFV-SOL-10-C1 Incorrect Compounding Mechanism

Last updated 7 months ago

Was this helpful?