Open code423n4 opened 2 years ago
This is more of a policy issue than an inherent contract security issue, and as mentioned is an already known concern vector with the system. Definitely not medium risk given all of that, but technically true. Thoughts on severity if any @ind-igo?
Agreed, this is policy issue, although good observation. It is however out of scope for this contest.
Going to downgrade to QA
Lines of code
https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/modules/RANGE.sol#L158-L178
Vulnerability details
Impact
Increased systematic risk to the treasury and near guaranteed loss
Proof of Concept
The Range-Bound Stability system is designed to increase OHM stability against a reserve asset by providing an upper and lower liquidity band to resist sudden changes. In the white paper it suggests that the treasury may implement RBS against a volatile asset such as ETH. Given the relative volatility of ETH and that bounds are set by a moving average. It is highly likely that the market price of ETH will frequently enter or move outside of the RBS bounds. In this case, the RBS is not functioning as intended because it is effectively trying to absorb the volatility of the reserve asset rather than the volatility of OHM. Arbitrageur will close the price gap at the expense of treasury funds, since the treasury will either be buying for too much or selling for too little. Given the relative difference in liquidity the RBS will be easily overpowered by market forces
During a black swan event ( i.e. UST collapse) that affects a treasury asset, the RBS will increase exposure to that asset. This puts a greater amount of treasury assets at risk and increases the losses of the treasury.
Tools Used
Recommended Mitigation Steps
RBS assets should be chosen very carefully. It should never be a volatile asset and stablecoins should be highly trusted and battle-tested.