naps62
commented
2 years ago Our goal is to support only stable coins, so I don't think this is an issue. @ryuheimat ?
Closed code423n4 closed 2 years ago
naps62
commented
2 years ago Our goal is to support only stable coins, so I don't think this is an issue. @ryuheimat ?
r2moon
commented
2 years ago yeah, we support stable coins only,
dmvt
commented
2 years ago Given that the sponsor will only be supporting stablecoins, this issue should be mitigated. However, this is not made clear in the comments present on the strategy in question. I recommend adding a warning statement to the contract comments and documentation so that anyone who may take over this project later or fork it understands the original intention. Changing this to a low risk per Code4rena definitions.
1 — Low: Low: Assets are not at risk. State handling, function incorrect as to spec, issues with comments.
Handle
WatchPug
Vulnerability details
All the non-UST assets are converted to UST for investments, but the deposit amounts are recorded in Vault assets token (eg, BTC).
The current design/implementation of non-UST vaults makes it possible for attackers to profit no matter the price goes up or down, at the expense of other users.
PoC
Given:
$45,000;10 BTCto the Vault;100 BTCworth of assets (4.5M of UST) in the Vault.If the price of BTC increases to
$60,000:If the price of BTC decreases to
$30,000:This can be amplified with:
Recommendation
Consider making NonUSTStrategy not swapping to and investing in UST, but investing in assets that are pegged to or based on the Vault asset, take BTC for example, the Strategy should be investing in ibBTC or other BTC based investments.