Open hats-bug-reporter[bot] opened 2 days ago
Intended behavior. Selling of shares is done at previous price in order to prevent stealing of new yield every time price is updated. Thus user has to wait > update delay to collect yield, allowing also for the offchain update of the backing RWA assets
Github username: -- Twitter username: 0xgreed_ Submission hash (on-chain): 0x060c934cf1ef44031d519f4bd806088f4d53cb6d72ca7bcc3a8387052ff0880a Severity: high
Description:
Relevant Context
The
YieldOracle
contract maintains three price values:previousPrice
: The price before the current pricecurrentPrice
: The active price being usednextPrice
: A pending price that will become current after commitThese prices are used to convert between shares and assets in the protocol.
Finding Description
The
sharesToAssets()
function incorrectly usespreviousPrice
instead ofcurrentPrice
when converting shares to assets. This means the conversion is using an outdated price that does not reflect the current value of shares.The root cause is in the
sharesToAssets()
implementation:While the corresponding
assetsToShares()
function correctly usescurrentPrice
:Impact Explanation
High. This discrepancy between the actual share value and the calculated asset value could lead to:
Likelihood Explanation
High. This issue will affect every share to asset conversion operation, making it a consistently exploitable problem rather than an edge case.
Proof of Concept
sharesToAssets()
to calculate redemption valueRecommendation
Update the
sharesToAssets()
function to usecurrentPrice
instead ofpreviousPrice
: