search

code-423n4 / 2021-06-gro-findings

0 stars 1 forks source link

`safetyCheck` does not ensure all ratios of prices are healthy #125

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

shw

Vulnerability details

Impact

The safetyCheck function of Buoy3Pool checks the two ratios, a/b and a/c, to be healthy but not the ratio b/c. This ratio may be unhealthy, causing assets (USDC, USDT) to be exchanged at a not-so-good price.

Proof of Concept

Consider the following situation:

  1. lastRatio[1] and lastRatio[2] are both 1000000 (i.e., price of DAI == USDC == USDT).
  2. Now, the state of Curve 3pool is slightly imbalanced, with the price USDC > DAI > USDT. The ratio a/b is 998000, and the ratio a/c is 1002000.
  3. Both a/b and a/c are within tolerance (i.e., the difference between itself and its previous value does not exceeds BASIS_POINTS). However, the ratio b/c is not because it differs from the previous value by approximately 2 * BASIS_POINTS.

Referenced code: Buoy3Pool.sol#L87-L96

Recommended Mitigation Steps

Check the ratio of b/c to ensure it is also healthy.

kitty-the-kat commented 2 years ago

104

ghoul-sol commented 2 years ago

Duplicate of #104 so high risk.