totalUSDV is then the average price of USDV in terms of each of the foreign assets, weighted by the TVL of the relevant liquidity pool.
It should be fairly clear that this is the incorrect calculation as all the terms in totalUSDV are in different units - you can't average the price of USDV in ETH with the price of USDV in BTC and get a meaningful result.
It appears that the VADER team intended to calculate the price of USDV in terms of USD through a number of different paired assets and then average them at the end based on the liquidity in each pair but have started averaging too early.
High severity issue as the oracle is crucial for determining the exchange rate between VADER and USDV to be used for IL protection and minting/burning of USDV - an incorrect value will result in the protocol losing significant funds.
Recommended Mitigation Steps
Review the algorithm used for calculating the prices of assets and ensure that it's calculating what you expect.
Handle
TomFrenchBlockchain
Vulnerability details
Impact
Invalid values returned from oracle for USDV and VADER prices in situations where the oracle uses more than one foreign asset.
Proof of Concept
The USDV price is calculated as so (for simplicity we'll consider a two pairs):
https://github.com/code-423n4/2021-12-vader/blob/fd2787013608438beae361ce1bb6d9ffba466c45/contracts/lbt/LiquidityBasedTWAP.sol#L393-L409
totalUSDis then the average price of the foreign assets paired against USDV in terms of USD, weighted by the TVL of the relevant liquidity pooltotalUSDVis then the average price of USDV in terms of each of the foreign assets, weighted by the TVL of the relevant liquidity pool.It should be fairly clear that this is the incorrect calculation as all the terms in
totalUSDVare in different units - you can't average the price of USDV in ETH with the price of USDV in BTC and get a meaningful result.It appears that the VADER team intended to calculate the price of USDV in terms of USD through a number of different paired assets and then average them at the end based on the liquidity in each pair but have started averaging too early.
High severity issue as the oracle is crucial for determining the exchange rate between VADER and USDV to be used for IL protection and minting/burning of USDV - an incorrect value will result in the protocol losing significant funds.
Recommended Mitigation Steps
Review the algorithm used for calculating the prices of assets and ensure that it's calculating what you expect.