Skip to content

Latest commit

 

History

History
48 lines (35 loc) · 1.97 KB

File metadata and controls

48 lines (35 loc) · 1.97 KB

One Ring Finance

Step-by-step

  1. Flashloan some USDC
  2. Deposit it to mint shares
  3. Withdraw the shares for USDC
  4. Repay loand and transfer profit

Detailed Description

One Ring Finance used the amount of reserves held in the vault as a price gauge. The attacker can manipulate the price by changhing the amount of reserves in the contract.

Both the deposit and withdraw methods use:

        uint256 _sharePrice = getSharePrice();

To calculate how many shares the user must receive. To exploit this, the attacker deposited USDC into the contract, which drove the price of the shares up, and then immediatly sold them.

Possible mitigations

  1. Use Time-Weighted price feeds or other reliable oracles to get the price of commodities instead of relying on a metric that can be manipulated with flash loans.
  2. Another strategy is to implement slippage, so the price of each share increase the more you buy.

Diagrams and graphs

Class

class

Sources and references