6. calcLpPosition computation can be manipulated #7
Description
Severity: High
Difficulty: Medium
Type: Data Validation
Target: AHv2Farmer.sol
Description
An attacker could to manipulate the total supply of a Sushiswap pool that is going to be used for the internal calculation in the strategy.
The strategy uses a Sushiswap pool to calculate the want and eth value of an LP position:
function calcLpPosition(uint256 collateral) internal view returns (uint256[] memory) {
(uint112 reserve0, uint112 reserve1, ) = IUniPool(pool).getReserves();
uint256 poolBalance = IUniPool(pool).totalSupply();
uint256 share = collateral * PERCENTAGE_DECIMAL_FACTOR / poolBalance;
uint256[] memory lpPosition = new uint256[](2);
lpPosition[1] = uint256(reserve0) * share / PERCENTAGE_DECIMAL_FACTOR;
lpPosition[0] = uint256(reserve1) * share / PERCENTAGE_DECIMAL_FACTOR;
return lpPosition;
} Figure 1: AHv2Farmer.sol#L613-L622
However, since these values depends on an external call to the total supply of a Sushiswap pool, that can be manipulated by external users adding or removing liquidity before a withdraw, that triggers this computation.
Exploit scenario
Eve takes a flashloan and provides liquidity to the same pool used by the strategy. In the same transaction, Eve can call withdraw from the strategy forcing it to compute a manipulated price, and then remove the liquidity from the pool.
Recommendation
Short term, rewrite the calcLpPosition to compute the assets price using oracles that are resistant to manipulation during a transaction.
Long term, reduce the dependency of external contracts to mitigate this types of attacks.