search

code-423n4 / 2024-03-saltyio-mitigation-findings

0 stars 0 forks source link

M-08 MitigationConfirmed #54

Open c4-bot-5 opened 4 months ago

c4-bot-5 commented 4 months ago

Lines of code

Vulnerability details

C4 Issue

https://github.com/code-423n4/2024-01-salty-findings/issues/809

Comments

The issue highlights an edge case vulnerability that arises from the price feed aggregator in the Salty protocol, which averages the closest two prices from three feeds (Chainlink, Uniswap 30 minute TWAP, and Salty spot price) for operations like liquidation and borrowing. If the disparity between the feeds exceeds a set threshold (3% by default), the aggregator reverts transactions. This mechanism becomes problematic during high volatility( which is the case in period with high liquidations), as the feeds—due to their distinct reporting methods—are likely to diverge beyond this limit. Uniswap's TWAP, with a 30-minute delay, contrasts with the immediate updates from Chainlink and Salty, leading to potential discrepancies especially in fast-moving markets.

Mitigation

https://github.com/othernet-global/salty-io/commit/8e3231d3f444e9851881d642d6dd03021fade5ed

The mitigation for this issue revolved around the deprecation of number of key components including:

  1. The overcollateralized USDS stablecoin framework was completely deprecated, which also meant borrowing of USDS no longer exists, ergo liquidations are no longer possible.
  2. The price aggregator itself was deprecated because its main purpose was to provide pricing for the collateral and liquidity framework which itself has been deprecated.

Conclusion

LGTM

c4-judge commented 4 months ago

Picodes marked the issue as confirmed for report

c4-judge commented 4 months ago

Picodes marked the issue as satisfactory