When adding or updating pair, its reserve ratio can be set to 0. This poses a threat of tokens becoming undercollateralized, because users can profit from price speculation between token pairs. This can lead to not enough assets in protocol and users not being able to redeem all their tokens back to USDT.
Vulnerability Detail
Unitas uses stablecoins as an underlying asset to back the price of its USD1 and other tokens. As stated in the readme, all minted assets should be at least 130% over-collateralized. For every 1 USD1 there should be 1.3 USDT.
There is a check in TokenManager.sol:386 that controls this reserve ratio is set to at least 130%. As you can see, there is also an if statement that enables the ratio to be set to zero.
This can lead to the risk of minted assets becoming undercollateralized and users not being able to withdraw all funds because it disables checks for reserve ratio in the protocol.
For example, this can happen when users are speculating on a price change:
The user buys 840,000 USD91 with 10,000 USD1.
The transaction is sent to update USD1/USD91 price from 84 to 82.
The user sends another transaction to sell his USD91 and receives 10243.90 USD1. He gains 243.9 USD1 on this transaction.
User redeems USD1 for USDT and exits with a profit, leaving less USDT in the protocol.
This can occur all the time because of price changes. It will not work in scenarios where this transaction would be reverted because there are fewer reserves than 130%. However, when the ratio is lower, this can become a problem.
At first, I wanted to make a separate issue for frontrunning the price update to buy before it, sell after it, and gain some value, but it would only be a more complicated approach to profit from a price change.
0xJuda
high
Reserve ratio can be set to 0
Summary
When adding or updating pair, its reserve ratio can be set to 0. This poses a threat of tokens becoming undercollateralized, because users can profit from price speculation between token pairs. This can lead to not enough assets in protocol and users not being able to redeem all their tokens back to USDT.
Vulnerability Detail
Unitas uses stablecoins as an underlying asset to back the price of its USD1 and other tokens. As stated in the readme, all minted assets should be at least 130% over-collateralized. For every 1 USD1 there should be 1.3 USDT. There is a check in TokenManager.sol:386 that controls this reserve ratio is set to at least 130%. As you can see, there is also an if statement that enables the ratio to be set to zero.
This can lead to the risk of minted assets becoming undercollateralized and users not being able to withdraw all funds because it disables checks for reserve ratio in the protocol.
For example, this can happen when users are speculating on a price change:
This can occur all the time because of price changes. It will not work in scenarios where this transaction would be reverted because there are fewer reserves than 130%. However, when the ratio is lower, this can become a problem.
At first, I wanted to make a separate issue for frontrunning the price update to buy before it, sell after it, and gain some value, but it would only be a more complicated approach to profit from a price change.
Impact
Underlying assets can become undercollateralized.
Code Snippet
TokenManager.sol:386
Tool used
Manual Review
Recommendation
Remove the possibility to set the ratio to zero.