Aave V3’s Price Oracle Manipulation Vulnerability

We discussed this vulnerability during Episode 143 on 09 May 2022

An access control issue in a fallback price oracle contract. Under normal circumstances, Aave V3 will try to use chainlink oracle for getting price information. However, if that fails and returns a null value, they have a fallback contract that gets called. This fallback contract’s setAssetPrice() method has no access control, and can be called by an attacker to manipulate the price. Exploiting this issue might be tricky, as you’d have to force the fallback contract to be invoked. The authors propose two scenarios this could happen. One is due to Aave’s use of a deprecated function (latestAnswer()), which could fail to reach an answer and return 0. The other scenario is if an asset is loaded as collateral before the price feed of that asset is configured.

This seemed to be a test contract that accidentally made it into production due to the fact the contract was in a mocks/ directory.