--- title: CertiK Client Feedback from Farmland tags : audit-feedback --- CertiK Client Feedback from Farmland === <!-- Client Feedback Form should be submitted for every **formal** discussion with clients. Use 10 mins to finish it and push to the project git repo through the hackmd embeded plugin: https://hackmd.io/c/tutorials/%2Fs%2Flink-with-github --> ###### tags: `Feedback` `Audit` :::info <!-- Participator should include all names of BDs, Engineers who join the discussion --> - **Client:** Farmland Finance Protocol - **Date:** Dec 17, 2020 - **Participator:** buyun.xu@certik.com, guilong.li@certik.com - **Reference:** - [Last week meeting minute](/s/template-meeting-note) ::: --- :mag: Discussion Findings --- <!-- List all discuss topics in the meeting that you think worthy note in the process of the audit. Not necessarily list here all vulnerabilities found in the project. List --> | Index |Type| Issue Description| Client's Feedbacks | Auditor's Comments | Solved? | Solution | | ------------- | ------- | ------------ | ------------- | -------- | -------- | -------- | | 1 | Any concerns from our auditors and client | Lack of report detail | Farmland is going to farm the renBTC/WBTC pool in curve, using their renBTC, is it going to be attacked by price oracle issue| If curve price oralce is attacked by flash loan and reports a wrong price, Farmland will loose some of their assets if they withdraw their tokens from curve with the wrong price. | Y | | :closed_book: Comments -- Details for Findings 1: Farmland is going to farm the renBTC/WBTC pool in curve with renBTC. Does it have possibility of being attacked by price oracle issue? Answer: Farmland is using curve price oracle service to get the price. If curve price oralce is attacked by flash loan and reports a wrong price, Farmland will loose some of their assets if they withdraw their tokens from curve with the wrong price. Solution: Add some logic to scan curve price oracle service. If the price is fluctuate severely, stop the transaction. e.g. UniswapV2 introduce the price cumulative into the project. Another solution is involving more than 1 price oracle to limit the price fluctuate. Farmland plans to restrict the actions from 1 address. Deposit and withdraw actions cannot be executed in 1 same block. Will this solution restrict attacks from flash loan attacks? 回复： 一般的闪电贷攻击案例是：通过闪电贷借出资金，去curve搞乱价格，然后去调用curve价格预言机的平台质押，获得超额代币； 然后去curve拉回正常价格；然后去平台用超额代币换回资金，获利，在一个block内可以重复此过程循环获利。 您提出的这方案可以防止上述攻击，因为攻击全部流程都在一个block内。 另外一种闪电贷攻击方法是：首先通过闪电贷借出资金，去curve搞乱价格； 然后利用自有资金或者别的借贷资金，但不能是闪电贷，去Farmland平台deposit，获得超额代币，或者说是share； 然后去curve拉回正常价格，归还闪电贷，此时一个block结束； 然后回到Farmland平台withdraw。 这个操作不能在一个block之内完成，所以不能重复此过程。但是一次性搞大量资金攻击，损失依然可以很大。 总的来说，您提出的这个方案只能保证，攻击者不能在同一个block内循环调用攻击的逻辑，重复获利。