Findings
H-01High
Oracle price manipulation
Description
Protocol uses single Uniswap pool as price feed. Attacker can flash loan to move spot price, trigger liquidations or unfair borrows at manipulated price.
Recommendation
Use TWAP (time-weighted average price), multiple oracles, or Chainlink. Enforce minimum liquidity and max price deviation per block.
Code
// Vulnerable: spot price only
(uint256 reserve0, uint256 reserve1,) = pair.getReserves();
uint256 price = reserve1 / reserve0; // Instant manipulation
return price;