_Follow along with the video lesson:_ --- ### Exploit - Oracle Manipulation - Introduction Alright, we're cookin' now! Next question! ```js // @Audit-Question: How is the fee being calculated? function getCalculatedFee(IERC20 token, uint256 amount) public view returns (uint256 fee) {...} ``` We'd identified an issue in this function previously, in that we're for some reason calculating a fee in weth - but besides this vulnerability, is there anything else regarding fee calculation that is potentially exploitable? Hint: ```js uint256 valueOfBorrowedToken = (amount * getPriceInWeth(address(token))) / s_feePrecision; ``` Spotting this issue comes with a little bit of experience. I can tell you it's related to utilizing a Dex as a price oracle. Ask yourselves: **_What would happen if the price of an asset on TSwap could be manipulated? What would the impact on Thunder Loan be?_** In 2023, `Price Oracle Manipulation` was the #1 attack vector in DeFi resulting in over `$198,000,000` in lost or stolen funds. In the next lesson we'll be introduced to what oracle manipulation is, how it works and what can be done to protect against it. See you there.
Patrick uncovers and details an oracle manipulation vulnerability within Thunder Loan.
Previous lesson
Previous
Next lesson
Next
Give us feedback
Solidity Developer
Smart Contract SecurityDuration: 25min
Duration: 1h 18min
Duration: 35min
Duration: 2h 28min
Duration: 5h 03min
Duration: 5h 22min
Duration: 4h 33min
Duration: 2h 01min
Duration: 1h 40min
Testimonials
Read what our students have to say about this course.
Chainlink
Chainlink
Gustavo Gonzalez
Solutions Engineer at OpenZeppelin
Francesco Andreoli
Lead Devrel at Metamask
Albert Hu
DeForm Founding Engineer
Radek
Senior Developer Advocate at Ceramic
Boidushya
WalletConnect
Idris
Developer Relations Engineer at Axelar