Lone Azure Narwhal - Attacker can front-run oracle update to arbitrage prices #207
Description
Lone Azure Narwhal
High
Attacker can front-run oracle update to arbitrage prices
Summary
An attacker can exploit the delay in oracle updates in mempool to manipulate asset prices, leading to arbitrage opportunities that can unfairly benefit the attacker.
Root Cause
The system relies on an external oracle for pricing, but price updates are not synchronized with transaction execution, allowing front-running.
Internal Pre-conditions
The protocol fetches the latest price from an oracle during buy/sell operations.
Oracle updates occur at set intervals (not per transaction).
External Pre-conditions
The attacker has access to a mempool scanner (e.g., Flashbots, MEV searcher).
The attacker monitors oracle updates and predicts future price changes.
Attack Path
- The attacker detects an upcoming oracle update that will increase the price of an asset.
- Before the update is mined, they submit a buy transaction at the current lower price.
- After the update is confirmed, they sell at a higher price, profiting from the difference.
- This can be repeated whenever price discrepancies exist due to delayed oracle updates.
Impact
Unfair arbitrage gains for attackers.
Protocol liquidity depletion.
Loss of user trust due to price manipulation.
PoC
No response
Mitigation
- Price Commit-Reveal Mechanism: Implement a time delay for oracle price changes to prevent instant arbitrage.
- Mandatory Oracle Delay: Enforce a minimum time gap between price updates and transaction execution.