CVE-2019-20809 in Compound Finance Compound Price Oracle
Summary
by MITRE
The price oracle in PriceOracle.sol in Compound Finance Compound Price Oracle 1.0 through 2.0 allows a price poster to set an invalid asset price via the setPrice function, and consequently violate the intended limits on price swings.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/04/2020
The vulnerability identified as CVE-2019-20809 resides within the Compound Finance Compound Price Oracle system, specifically in the PriceOracle.sol smart contract implementation across versions 1.0 through 2.0. This flaw represents a critical security weakness that directly impacts the financial integrity of the decentralized finance ecosystem. The vulnerability stems from insufficient validation mechanisms within the setPrice function, which permits unauthorized manipulation of asset pricing data that serves as the foundation for all lending and borrowing operations within the Compound protocol.
The technical flaw manifests through the absence of proper input validation and boundary checking within the setPrice function implementation. Attackers can exploit this weakness by submitting malicious price values that bypass the intended price swing limitations, effectively allowing them to manipulate asset prices beyond the system's designed constraints. This vulnerability operates under the CWE-284 access control weakness category, specifically targeting improper access control mechanisms within smart contract systems. The flaw enables an attacker with access to the price posting privileges to manipulate price data in ways that could lead to significant financial losses for the protocol and its users.
The operational impact of this vulnerability extends far beyond simple price manipulation, as it fundamentally undermines the trustless nature of the Compound Finance protocol. When a price poster can set invalid asset prices, they gain the ability to create artificial market conditions that could trigger erroneous liquidations, manipulate interest rate calculations, and potentially drain liquidity from the system. The vulnerability directly relates to the ATT&CK technique T1499.004 which involves data manipulation through financial system compromise, enabling attackers to manipulate financial data to their advantage. This manipulation capability could result in cascading effects throughout the entire Compound ecosystem, affecting multiple markets and user positions simultaneously.
The implications of this vulnerability are particularly severe given that Compound Finance operates as a critical component of the broader decentralized finance landscape, serving as a foundational lending protocol for numerous other DeFi applications. The price oracle serves as the single source of truth for asset valuations, making it a prime target for exploitation. When an attacker successfully manipulates these prices, they can cause significant market disruption and financial loss, potentially leading to the collapse of user positions and the erosion of protocol confidence. The vulnerability also highlights the importance of proper input validation and access control mechanisms within smart contract development, as the lack of these safeguards can have cascading effects throughout the entire financial system that relies on accurate pricing data. Organizations implementing similar oracle systems should consider implementing robust validation checks, rate limiting mechanisms, and multi-signature approval processes to prevent unauthorized price manipulation and maintain the integrity of their financial systems.