Full Report
Within the Olympus ecosystem, they have three different price feeds that can be used. If one of them reverts, then it simply uses the other ones. So, what could possibly go wrong? The key to the issue is reverting. What if we could force a price feed to fail? If that was so, then we could use a price oracle that had a good price and make it more centralized for ourselves. Selective failures can be real bad in blockchain for gaming the system. Uniswap and Balancer both have reentrancy checks. So, if an attacker called Olympus while in a callback from both Uniswap and Balancer then the price feeds would fail. Bunni uses Uniswap under the hood for some things. So, if this functionality is deliberately triggered then it's possible to force a revert here as well. Overall, a super interesting bug that has a VERY long chain of questions being asked. I really enjoyed the bug, since it really thinks outside the box and requires a deep understand of the protocols being interacted with. At the end, they ranked this as a medium, which is fair since Chainlink could not be manipulated this way.
Analysis Summary
# Vulnerability: Price Feed Manipulation via Selective Reverting
## CVE Details
- CVE ID: N/A (Smart Contract Audit Finding)
- CVSS Score: 6.5 (Medium - estimated based on exploitability and impact)
- CWE: CWE-340: Generation of Predictable Numbers; CWE-754: Improper Check for Unusual or Exceptional Conditions.
## Affected Systems
- Products: Olympus Ecosystem (specifically the Bophades PRICE module)
- Versions: High-level protocol version V2 (submodule feeds)
- Configurations: Systems utilizing multiple price feeds (UniswapV3, Balancer, or Bunni) where values are averaged or selected based on availability.
## Vulnerability Description
The Olympus `Price` module iterates through available price feeds for a given asset. If a feed reverts, the system silently catches the error and proceeds to calculate the price using the remaining feeds.
The flaw lies in the ability of an attacker to **intentionally trigger reverts** in specific feeds by exploiting reentrancy checks. Both UniswapV3 and Balancer have internal "locked" states during callbacks. An attacker can initiate a transaction that triggers a callback from these protocols and, while the state is "locked," call the Olympus price calculation. This forces the Uniswap/Balancer feeds to revert, allowing the attacker to "de-select" these feeds and force the system to use a single, potentially manipulated or more favorable price feed (e.g., a manipulated Chainlink feed or a single spot price).
## Exploitation
- Status: PoC confirmed via Sherlock Audit #127
- Complexity: High (Requires deep understanding of DeFi protocol callbacks and reentrancy states)
- Attack Vector: Network (Smart Contract Interaction)
## Impact
- Confidentiality: None
- Integrity: Medium (The price calculation can be skewed to favor the attacker, leading to potential loss of funds or unfair arbitrage)
- Availability: Low (Does not disable the protocol, but manipulates output)
## Remediation
### Patches
- The developers initially marked this as "Won't Fix" regarding the specific audit issue but acknowledged the design risk. A robust fix involves differentiating between "Hard Reverts" (system failure) and "Soft Reverts" (temporary state issues).
### Workarounds
- **Strict Error Handling:** Instead of silently catching all reverts, the price module should be modified to revert the entire transaction if a feed fails due to a known reentrancy error.
- **Circuit Breakers:** Implement logic to ensure a minimum number of valid feeds must return data before a price is accepted as valid.
## Detection
- Monitor for transactions where the Olympus `Price` module is called within the same transaction as UniswapV3 or Balancer liquidity actions (Mint/Burn/Swap callbacks).
- Look for `UniswapV3_PoolReentrancy` or Balancer reentrancy error codes appearing in trace logs of successful Olympus interactions.
## References
- KupiaSec Audit Finding: [https://github.com/sherlock-audit/2023-11-olympus-judging/issues/127](https://github.com/sherlock-audit/2023-11-olympus-judging/issues/127)
- Olympus Bophades Source: [https://github.com/sherlock-audit/2023-11-olympus/blob/9c8df76dc9820b4c6605d2e1e6d87dcfa9e50070/bophades/src/modules/PRICE/OlympusPrice.v2.sol](https://github.com/sherlock-audit/2023-11-olympus/blob/9c8df76dc9820b4c6605d2e1e6d87dcfa9e50070/bophades/src/modules/PRICE/OlympusPrice.v2.sol)