Oracle price of ETH/dUSD is used instead of ETH/USD in redemptions

[c4-bot-3]

Lines of code

https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/facets/RedemptionFacet.sol#L75

Vulnerability details

Impact

dUSD is not redeemed at 1 USD/dUSD as intended, but simply traded for ETH at its current price. This completely disincentivizes redemptions, which are necessary to maintain the peg.

Proof of Concept

When a redemption is claimed the number colRedeemed for each short record is the amount of ETH the redeemer gets. colRedeemed is calculated as colRedeemed = amountProposed * oraclePrice, where amountProposed is in units of dUSD. The intention is that amountProposed dUSD should redeem amountProposed USD worth of ETH, i.e. as if USD/dUSD = 1. This means that oraclePrice should be the price of ETH/USD. But oraclePrice is LibOracle.getPrice(p.asset) where asset is dUSD, i.e. oraclePrice is the price ETH/dUSD. This means that dUSD is redeemed at the current value of dUSD, instead of at the peg of 1:1 dUSD:USD. This is the equivalent of just trading dUSD for ETH, instead of a redemption for an undervalued dUSD at its pegged valued.

Recommended Mitigation Steps

Set oraclePrice to the price ETH/USD.

Assessed type

Oracle

[c4-pre-sort]

raymondfam marked the issue as sufficient quality report

[c4-pre-sort]

raymondfam marked the issue as primary issue

[raymondfam]

Will let sponsor review your concern.

[c4-sponsor]

ditto-eth (sponsor) disputed

[ditto-eth]

ETH/dUSD oracle does not exist, the system uses ETH/USD chainlink oracle (see address)

[c4-judge]

hansfriese marked the issue as unsatisfactory: Invalid