PegExchanger's fixed price leads to arbitrage

[code423n4]

Handle

cmichel

Vulnerability details

The PegExchanger contract takes in RGT and gives out TRIBE at a fixed rate of 26.705673 TRIBE per RGT.

Arbitragers will use this contract to buy cheap TRIBE and sell it higher for RGT again at other DEXes. This can lead to the liquidity in this contract being drained quickly and reduce the amount legitimate users can buy.

Recommendation

It should use a price that is close to the external TRIBE/RGT market price. Right now it's 21.58974359 TRIBE / RGT but the contract uses a price of 26.705673. This contract will peg RGT and TRIBE to this exact price for an entire year given enough liquidity. Make sure this is desired and think about how the liquidity is managed wrt arbitrageurs.

[elee1766]

arbitrage is not a bug, this is intended behavior.

[pauliax]

As per the sponsor's comment, they are aware of this and it is considered as intended behavior.