Skip to content
This repository has been archived by the owner on May 27, 2024. It is now read-only.

Latest commit

 

History

History
 
 

OneRingFinance

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 

One Ring Finance

Step-by-step

  1. Flashloan some USDC
  2. Deposit it to mint shares
  3. Withdraw the shares for USDC
  4. Repay loand and transfer profit

Detailed Description

One Ring Finance used the amount of reserves held in the vault as a price gauge. The attacker can manipulate the price by changhing the amount of reserves in the contract.

Both the deposit and withdraw methods use:

        uint256 _sharePrice = getSharePrice();

To calculate how many shares the user must receive. To exploit this, the attacker deposited USDC into the contract, which drove the price of the shares up, and then immediatly sold them.

Possible mitigations

  1. Use Time-Weighted price feeds or other reliable oracles to get the price of commodities instead of relying on a metric that can be manipulated with flash loans.
  2. Another strategy is to implement slippage, so the price of each share increase the more you buy.

Diagrams and graphs

Class

class

Sources and references