hats-finance / Euro-Dollar-0xa4ccd3b6daa763f729ad59eae75f9cbff7baf2cd

Audit competition repository for Euro-Dollar (0xa4ccd3b6daa763f729ad59eae75f9cbff7baf2cd)
https://hats.finance
MIT License
3 stars 2 forks source link

YieldOracle : Price update `setCurrentPrice` and `setPreviousPrice` has strict check. In real case, this may not work to update as expected #81

Open hats-bug-reporter[bot] opened 2 weeks ago

hats-bug-reporter[bot] commented 2 weeks ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0x2c80f17b4a474f68c8c0f940e1f1e7858d94a5d956bac7a6dcfe2292c73b13a5 Severity: medium

Description: Description\

The YieldOracle contract has the following function to update the current and previous price values of the tokens.


    /**
     * @notice Updates the current price.
     * @param price The new current price.
     */
    function setCurrentPrice(uint256 price) external onlyOwner {
        require(MIN_PRICE <= price && previousPrice <= price, "Price out of bounds");

        currentPrice = price;
    }

    /**
     * @notice Updates the previous price.
     * @param price The new previous price.
     */
    function setPreviousPrice(uint256 price) external onlyOwner {
        require(MIN_PRICE <= price && price <= currentPrice, "Price out of bounds");

        previousPrice = price;
    }

The functions expects that the price should be >= 1e18 (MIN_PRICE). Current price should be >= previous price.

This could be problamatic when price falls below 1e18. ( for example, the USDC price is not always 1e18, it fluctuate between 0.97e18 and 1e18)

https://coinmarketcap.com/currencies/usd-coin/ -- look for all time value

for example in March 2023, the lowest price value is 0.968e18

Impact

Durign these times, the price can not be updated as expected. This would result in undervalue of the asset when minting the shares. Incorrect amount of shared would be minted for given asset value.

  1. Revised Code File (Optional)

As owner updates the prices, it would be safe to remove the MIN_PRICE limit check.

AndreiMVP commented 2 weeks ago

For our protocol this is not an issue. Price normally always increases relative to the stablecoin and it can be assumed it will always be >=1e18. We also assume admin is acting properly with these functions in the rare cases it would use them (fixing an ORACLE_ROLE malfunction etc).

0xpinky commented 2 weeks ago

Hi @AndreiMVP this issue mentioning about inability of function to adjust the price less than 1e18. As we shown in the real case with USDC., it price sometime fluctuating in between 0.96e18 and 1.01e18 during market fluctuations or other external factors. It might be possible to happen. In this real case scenario, the price is reduced about 3%. But the code still use 100% of asset price to decided the share price.

For example when user intends to buy 100000 token, they have to spend 100000 instead of 97000 tokens.

0xpinky commented 2 weeks ago

We have analysed about the list of stable coins and how their price fluctuating. Please refer here

AndreiMVP commented 2 weeks ago

Eurodollar will always price the stablecoin at $1 and will be the sole issuer. The yield gain will be updated relative to that. While the price might fluctuate in secondary markets, this would not affect the protocol workings.

0xpinky commented 2 weeks ago

Hey. Could you please share the rationale behind the peg value of euro dollar? Even in fiat market the USD vs Euro could be fluctuating. What do you mean by secondary market fluctuations ? It's practically not possible to peg the euro dollar to 1 USD all the time. We are wondering how the project peg this value strictly .