search

code-423n4 / 2021-12-vader-findings

0 stars 0 forks source link

USDV uses incorrect exchange rate for burning #46

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

TomFrenchBlockchain

Vulnerability details

Impact

A money pump exists whenever VADER is worth more than $1.

Proof of Concept

When minting USDV, the amount minted is uAmount = (vPrice * vAmount) / 1e18 where vPrice is the price of VADER in terms of USD.

https://github.com/code-423n4/2021-12-vader/blob/fd2787013608438beae361ce1bb6d9ffba466c45/contracts/tokens/USDV.sol#L71-L76

When burning USDV, the amount of VADER released is vAmount = (uPrice * uAmount) / 1e18 where uPrice is the price of USDV in terms of USD.

https://github.com/code-423n4/2021-12-vader/blob/fd2787013608438beae361ce1bb6d9ffba466c45/contracts/tokens/USDV.sol#L105-L109

We're therefore allowing people to claim VADER at an exchange rate of 1 VADER = 1 USD.

Now consider we do a mint and then burn the entire amount of USDV we receive, combining the two expressions above:

vAmountOut = (uPrice * (vPrice * vAmountIn) / 1e18 ) / 1e18
// Assume that uPrice ~= 1e18, i.e. USDV is at peg
vAmountOut = (vPrice * vAmountIn) / 1e18

It's then plain to see that if the price of VADER exceeds $1 at any point we can extract value from the system by minting and then burning USDV.

Recommended Mitigation Steps

Use the USDV:VADER exchange rate rather than USDV:USD when burning USDV for VADER.

Pay attention to the units implied by different values to ensure you're using them correctly.

0xstormtrooper commented 2 years ago

Actually there is a bug with the pricing when burn. Both for mint and burn, the intention is use evaluate VADER price in USD. So the suggestion will not be applied

See here for our intention https://github.com/code-423n4/2021-12-vader-findings/issues/164

jack-the-pug commented 2 years ago

Dup #164