Closed c4-bot-3 closed 3 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as primary issue
Will let sponsor review your concern.
ditto-eth (sponsor) disputed
ETH/dUSD oracle does not exist, the system uses ETH/USD chainlink oracle (see address)
hansfriese marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/facets/RedemptionFacet.sol#L75
Vulnerability details
Impact
dUSD is not redeemed at 1 USD/dUSD as intended, but simply traded for ETH at its current price. This completely disincentivizes redemptions, which are necessary to maintain the peg.
Proof of Concept
When a redemption is claimed the number
colRedeemed
for each short record is the amount of ETH the redeemer gets.colRedeemed
is calculated ascolRedeemed = amountProposed * oraclePrice
, whereamountProposed
is in units of dUSD. The intention is thatamountProposed
dUSD should redeemamountProposed
USD worth of ETH, i.e. as ifUSD/dUSD = 1
. This means thatoraclePrice
should be the price of ETH/USD. ButoraclePrice
isLibOracle.getPrice(p.asset)
whereasset
is dUSD, i.e.oraclePrice
is the price ETH/dUSD. This means that dUSD is redeemed at the current value of dUSD, instead of at the peg of 1:1 dUSD:USD. This is the equivalent of just trading dUSD for ETH, instead of a redemption for an undervalued dUSD at its pegged valued.Recommended Mitigation Steps
Set
oraclePrice
to the price ETH/USD.Assessed type
Oracle