Magic Rainbow Locust
High
The reliance on an unprotected Uniswap TWAP price oracle in LenderCommitmentGroup_Smart.sol will cause under-collateralized loans for lenders, as an attacker can manipulate the Uniswap pool price to artificially reduce the required collateral amount and borrow more principal tokens than they should, potentially leading to loss of funds for the lending pool.
In LenderCommitmentGroup_Smart.sol, specifically in the function calculateCollateralTokensAmountEquivalentToPrincipalTokens, the contract uses the Uniswap V3 TWAP price oracle obtained from UniswapPricingLibrary.getUniswapPriceRatioForPoolRoutes(poolOracleRoutes)without sufficient safeguards against price manipulation. The lack of a minimum enforced TWAP interval and absence of limits on the exchange rate(maxPrincipalPerCollateralAmount defaulting to zero)` allow an attacker to manipulate the oracle price, reducing the required collateral for loans.
No response
No response
The attacker examines the poolOracleRoutes configuration in the LenderCommitmentGroup_Smart contract to identify the Uniswap V3 pool(s) used as the price oracle between the principal and collateral tokens. By analyzing these routes, the attacker locates specific pools with low liquidity, making them susceptible to price manipulation.
The attacker manipulates the Uniswap pool's price by executing large trades that decrease the price of the collateral token relative to the principal token. Specifically, the attacker swaps a significant amount of principal tokens for collateral tokens in the Uniswap pool, causing the collateral token's price to drop sharply due to the low liquidity.
Due to the short Time-Weighted Average Price (TWAP) interval configured in the poolOracleRoutes (e.g., 3 seconds), the manipulated price quickly affects the oracle price returned by UniswapPricingLibrary.getUniswapPriceRatioForPoolRoutes(poolOracleRoutes). This manipulated oracle price leads to an inflated principalPerCollateralAmount, which is calculated using the calculateCollateralTokensAmountEquivalentToPrincipalTokens function in the LenderCommitmentGroup_Smart contract.
As a result, the required collateral amount for borrowing is significantly reduced. The attacker calls acceptSmartCommitmentWithRecipient() through the SmartCommitmentForwarder contract to request a large loan, providing only the reduced amount of collateral tokens, as calculated using the manipulated price.
The LenderCommitmentGroup_Smart contract approves the loan based on the reduced collateral requirement, and the attacker receives the principal amount while having provided insufficient collateral. The attacker then defaults on the loan, keeping the excess principal tokens. When the loan defaults, the collateral seized by the lending pool is insufficient to cover the outstanding principal and interest, leading to financial losses for the lenders.
Proof of Concept (PoC)
The lending pool suffers a financial loss as loans are under-collateralized due to manipulated oracle prices. The attacker gains excess principal tokens without providing adequate collateral. If the attacker defaults on the loan, the collateral seized will not cover the outstanding principal and interest, leading to potential significant losses for lenders.
Suppose the lending pool relies on a Uniswap V3 pool between the principal token (e.g., USDC) and the collateral token (e.g., DAI), using a very short TWAP interval of 3 seconds.
The attacker swaps a large amount of USDC for DAI in the Uniswap pool, significantly decreasing the price of DAI relative to USDC. Due to the low liquidity and large trade size, this causes a substantial price impact.
Given the short TWAP interval, the manipulated price quickly reflects in the oracle price obtained by calling UniswapPricingLibrary.getUniswapPriceRatioForPoolRoutes(poolOracleRoutes). The attacker then calculates the reduced collateral requirement by invoking calculateCollateralTokensAmountEquivalentToPrincipalTokens(principalAmount) in the LenderCommitmentGroup_Smart contract. This function uses the inflated principalPerCollateralAmount, resulting in a much lower required collateral amount for the desired principal loan.
The attacker proceeds to request a loan by calling acceptSmartCommitmentWithRecipient() via the SmartCommitmentForwarder, supplying only the reduced amount of DAI as collateral. The lending pool, relying on the manipulated oracle price, approves the loan based on the calculated collateral requirement.
Finally, the attacker defaults on the loan, retaining the borrowed USDC. The collateral seized by the lending pool is insufficient to cover the outstanding loan amount due to the artificially lowered collateral requirement, leading to a financial loss for the lenders.
No response