_updateTWAV can be flash loaned. Hacker may pay the flash loan fee for 4 blocks then execute the attack after that.
function _updateTWAV(uint256 _valuation, uint32 _blockTimestamp) internal {
uint32 _timeElapsed;
unchecked {
_timeElapsed = _blockTimestamp - lastBlockTimeStamp;
}
uint256 _prevCumulativeValuation = twavObservations[((twavObservationsIndex + TWAV_BLOCK_NUMBERS) - 1) % TWAV_BLOCK_NUMBERS].cumulativeValuation;
twavObservations[twavObservationsIndex] = TwavObservation(_blockTimestamp, _prevCumulativeValuation + (_valuation * _timeElapsed)); //add the previous observation to make it cumulative
twavObservationsIndex = (twavObservationsIndex + 1) % TWAV_BLOCK_NUMBERS;
lastBlockTimeStamp = _blockTimestamp;
}
Focus here twavObservations[twavObservationsIndex] = TwavObservation(_blockTimestamp, _prevCumulativeValuation + (_valuation * _timeElapsed)); //add the previous observation to make it cumulative
Follow this process:
With TWAP window of 4 block, hacker may need to flash loan at most 1000M USD for 4 blocks to move the price of WETH in 0.3% fee uniswapv3 pool up 90%.
Flash loan and swapping has around 0.2% fee, hacker lost 2M/block for 4 blocks = 8M
But hacking reward may be greater than this (In case of large pool for example WETH/USDC)
For lower liquidity pair, cost is far less than this.
Manual. And some calculation
TWAV should span more than 4 blocks, more blocks, it cost more money for rich attacker. Attacker may broke before attack got successful.
Some calculation research here: <https://blog.euler.finance/uniswap-oracle-attack-simulator-42d18adf65af>
The text was updated successfully, but these errors were encountered:
š 2 GalloDaSballo and mundhrakeshav reacted with thumbs down emoji
All reactions