J4de - In OSDA mode, the attacker may buy payout token at a price lower than the theoretical value

[sherlock-admin]

J4de

medium

In OSDA mode, the attacker may buy payout token at a price lower than the theoretical value

Summary

In OSDA mode, the attacker may buy payout token at a price lower than the theoretical value.

Vulnerability Detail

In OSDA mode, the price depends on the expected capacity and actual capacity. The expected capacity decays linearly with time. If the expected capacity is higher than the actual capacity, then the market is undersold and price should be discounted, and the price will have a minimum value.

Assuming that the price reaches the lowest value, people's desire to buy will become the largest, and when people buy some, the price will rise (because the actual capacity becomes smaller).

The problem here is that the price calculation does not refer to the purchase amount of the buyer, which leads to the fact that when the price reaches the minimum value, the attack can buy all the payout tokens at the minimum value, which violates OSDA’s price calculation rules (The situation of buying in batches is closer to OSDA's price calculation rules, but the average price will be much higher).

Impact

Attackers can buy payout tokens at a lower price.

Code Snippet

https://github.com/sherlock-audit/2023-02-bond/blob/main/bonds/src/bases/BondBaseOSDA.sol#L426-L483

Tool used

Manual Review

Recommendation

Consider the number of buyers when calculating the price.

[Oighty]

The amount of tokens that can be bought in one transaction is limited by the maxPayout of the market. The OSDA pricing model specifically does not have slippage based on the purchase amount so this is the correct behavior.