Veridian Labs identified a price oracle manipulation vulnerability in a DEX aggregator's TWAP-based pricing mechanism. Low-liquidity pools used for price feeds could be manipulated using flash loans, allowing an attacker to inflate or deflate asset prices used for swap routing and slippage calculations.
The aggregator relied on a 30-minute TWAP from Uniswap V3 pools for price discovery. For tokens with less than $50K in on-chain liquidity, the TWAP could be manipulated within a single block by:
1. Flash loan large amount of token A 2. Swap into thin pool → price spike 3. TWAP observation recorded at inflated price 4. Wait for TWAP window to partially include manipulation 5. Execute favorable swap at manipulated price 6. Repay flash loan
Potential loss of up to $2.3M in aggregator liquidity across affected pools. The attack was economically viable for pools with less than $100K TVL.
The vendor implemented minimum liquidity thresholds for TWAP oracle sources and added price deviation bounds that reject quotes deviating more than 5% from Chainlink reference feeds.
Discovered by Sarah Rodriguez and James Thompson of Veridian Labs.