FLO-19: dexOraclePriceDeviationInRange() Enforces Asymmetric Price Bounds #228
Description
Severity: Low
Files Affected
cadence/contracts/FlowALPv1.cdc
Description
The dexOraclePriceDeviationInRange() function validates that a DEX price does not diverge from the trusted Oracle price beyond a configured threshold (maxDeviationBps). However, the percentage difference is calculated by dividing the absolute difference by the smaller of the two prices, rather than strictly using the Oracle price as the denominator. While the code comments note this as intentional, it contradicts the standard definition of deviation from a trusted consensus source. This mathematical approach creates an asymmetric acceptable range that is lopsided towards higher DEX prices, meaning the protocol is more tolerant of DEX price spikes than price drops. Exploit Scenario:
- The protocol configures a maxDeviationBps of 10% (1000 bps) and the trusted Oracle reports a baseline price of $100 for a specific asset.
- A user expects the acceptable DEX price range to be symmetrically centered around the Oracle price, spanning from exactly $90 to $110.
- A market fluctuation causes the DEX price to drop to exactly $90.
- The contract calculates the absolute difference ($10) and divides it by the smaller price ($90), resulting in a calculated deviation of 11.1%.
- The contract erroneously rejects the price because 11.1% exceeds the 10% threshold, effectively raising the lower acceptable bound to ~$91.
- Conversely, if the DEX price spikes to $110, the difference ($10) is divided by the smaller Oracle price ($100), resulting in exactly 10%, which the contract accepts, proving the threshold favors upward volatility over downward volatility.
Recommendation
Modify the deviation calculation to strictly use the trusted Oracle price as the base denominator, regardless of which price is smaller. This ensures the acceptable DEX price range remains perfectly symmetrical and centered around the protocol's source of truth.
Parent Issue: #209