Here we multiply the IL experienced by the LP by a price for USDV or VADER as returned by the LBT. However the price from the oracle is a fixed point number (scaled up by 1e8 or 1e18 depending on the resolution of finding "Oracle returns an improperly scaled USDV/VADER price") and so a fixed scaling factor should be applied to convert back from a fixed point number to a standard integer.
As it stands depending on the branch which is executed, the amount to be reimbursed will be 1e18 times too large or too small. Should the "else" branch be executed the reserve will pay out much in terms of IL protection resulting in severe loss of funds. High severity.
Handle
TomFrenchBlockchain
Vulnerability details
Impact
Reserve pays out vastly higher (or lower) IL protection than it should
Proof of Concept
Consider the lines 98 and 102 as shown on the link below:
https://github.com/code-423n4/2021-12-vader/blob/00ed84015d4116da2f9db0c68db6742c89e73f65/contracts/reserve/VaderReserve.sol#L95-L103
Here we multiply the IL experienced by the LP by a price for USDV or VADER as returned by the LBT. However the price from the oracle is a fixed point number (scaled up by 1e8 or 1e18 depending on the resolution of finding "Oracle returns an improperly scaled USDV/VADER price") and so a fixed scaling factor should be applied to convert back from a fixed point number to a standard integer.
As it stands depending on the branch which is executed, the amount to be reimbursed will be 1e18 times too large or too small. Should the "else" branch be executed the reserve will pay out much in terms of IL protection resulting in severe loss of funds. High severity.
Recommended Mitigation Steps
Apply similar logic to as displayed here:
https://github.com/code-423n4/2021-12-vader/blob/00ed84015d4116da2f9db0c68db6742c89e73f65/contracts/tokens/USDV.sol#L109