| title | description | type | network | date | loss_usd | returned_usd | tags | subcategory | vulnerable_contracts | tokens_lost | attacker_addresses | malicious_token | attack_block | reproduction_command | attack_txs | sources | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
One Ring Finance |
Exploiting share price manipulation via reserve balance changes |
Exploit |
|
2022-03-21 |
1550000 |
0 |
|
|
|
|
|
forge test --match-contract Exploit_OneRingFinance -vvv |
|
- Flashloan some USDC
- Deposit it to mint shares
- Withdraw the shares for USDC
- Repay loand and transfer profit
One Ring Finance used the amount of reserves held in the vault as a price gauge. The attacker can manipulate the price by changhing the amount of reserves in the contract.
Both the deposit and withdraw methods use:
uint256 _sharePrice = getSharePrice();To calculate how many shares the user must receive. To exploit this, the attacker deposited USDC into the contract, which drove the price of the shares up, and then immediatly sold them.
- Use Time-Weighted price feeds or other reliable oracles to get the price of commodities instead of relying on a metric that can be manipulated with flash loans.
- Another strategy is to implement
slippage, so the price of each share increase the more you buy.
- BVaults - Price manipulation through unprotected swap functions
- Polter Finance - Oracle price manipulation to drain lending protocol
- Onyx Protocol - Empty market manipulation to inflate collateral values