FLO-25: Dex Price Susceptible to Sandwich Attacks in Liquidation

[liobrasil]

Severity: Low

Files Affected

• cadence/contracts/FlowALPv1.cdc

Description

In the manualLiquidation() function, the DEX quote is fetched and compared in the same transaction. A sandwich attack can be executed where:

• Front-run: Manipulate DEX pool to worsen its price.
• Liquidation executes: DEX quote is artificially bad, so the liquidator's offer appears "better than DEX".
• Back-run: Reverse manipulation for profit.

Recommendation

Use TWAP instead of spot quote, or use oracle price as the primary benchmark.

---

Parent Issue: #209

[holyfuchs]

The oracle we are adding ensures the spread between sources (including the DEX) isn't too high; otherwise, it won't return a price. It also ensures short-term volatility isn't too high.

Additionally, there is another assert in the function:

FlowALP/cadence/contracts/FlowALPv0.cdc

Lines 597 to 599 in 802c194

	assert(
	FlowALPMath.dexOraclePriceDeviationInRange(dexPrice: Pcd_dex, oraclePrice: Pcd_oracle, maxDeviationBps: self.config.getDexOracleDeviationBps()),
	message: "DEX/oracle price deviation too large. Dex price: \(Pcd_dex), Oracle price: \(Pcd_oracle)")

A small sandwich attack is always possible. I don't think we should make any changes.