Security: Price Manipulation in function swap

[smartsmartsec]

Impact

• Other: Manipulation of token prices leading to abnormal profits or losses for unaware participants.

Affected component(s)

function swap in DeltaSwapPair.sol

Attack vector(s)

The attacker can manipulate the input amounts and the reserves to influence the price calculation unfavorably.

Suggested description of the vulnerability for use in the CVE

The swap function does not properly validate input amounts against backend reserves, allowing an attacker to manipulate the token exchange prices. By strategically choosing amounts to trade, an attacker can exploit the constant product formula to create favorable conditions for price manipulation. This vulnerability allows for the potential manipulation of market prices, leading to economic advantages at the expense of other users.

Discoverer(s)/Credits

xFuzz

Proposed Solution

• Implement additional checks to validate and limit trade amounts relative to the liquidity pool's current state and recent transaction history.
• Introduce a dynamic pricing model that adjusts fees based on trading patterns and frequency to mitigate rapid price manipulation attempts.

Reference(s)

• https://arbiscan.io/address/0x755F72D7F22eFaeD6E00E589a8C7bD95A666fEF0?utm_source=immunefi#code
• https://code4rena.com/reports/2021-04-marginswap#h-03-price-feed-can-be-manipulated
• https://code4rena.com/reports/2022-01-behodler#h-07-lp-pricing-formula-is-vulnerable-to-flashloan-manipulation