Swap of USD1 to USDT can revert due to portfolio usage
Summary
Unitas has a stated invariant that swaps from Unitas tokens to underlying assets are always possible. However, a swap from USD1 to USDT can revert if minter reserve funds are sent to an external protocol for yield generation, the swap amount exceeds the Unitas contract's balance of USDT, and the attempt to cover the shortfall using the insurance pool fails. The risk that any minter would be unable to swap back to the underlying asset, even temporarily, contradicts the invariant.
Vulnerability Detail
The Unitas V1 Whitepaper states,
The Unitas protocol guarantees unrestricted and unconditional conversion of its unitized stablecoins “back” to USD-pegged stablecoins.
and
If the user wants to exit the Unitas ecosystem, the protocol allows unrestricted and unconditional conversions from USD1 to USDPEGA.
The Unitas contract holds the reserve of USDT from users who have minted USD1. A portion of that balance may be transferred to a portfolio manager via the Unitas.sendPortfolio() function for the purpose of yield generation. If this is done, the remaining immediately available reserves will not provide 1:1 backing of USDT for USD1 and the system will rely on the insurance pool to cover a shortfall during a swap.
If the immediately available insurance pool USDT balance is insufficient to cover a shortfall during withdrawal of USDT (due to either a lapse in manual management of the insurance pool, or due to insurance pool funds not immediately accessible because they've also been supplied to a portfolio manager), then the transfer from the insurance pool to minter reserves will revert causing the swap to USDT to fail.
Hence, the support for portfolio usage from the reserve pool is inconsistent with the protocol's fundamental guarantee that swaps from Unitas tokens to underlying assets are always possible.
Impact
Reputation
This issue poses a reputational risk to the Unitas protocol because users have no advance knowledge of how or when deposited USDT funds could be transferred to a portfolio manager and no longer be immediately available for 1:1 backing of USD1. Therefore, they are not likely to trust the stated guarantee of supporting "unrestricted and unconditional conversion of its unitized stablecoins back to USD-pegged stablecoins." This impact does not depend on any actual mismanagement of the reserves, but only the existence of functionality that permits the reserve of minter USDT to fall below the 1:1 backing level implied by the guarantee.
Blocked USD1-USDT Swaps
In the worst case, Unitas swaps from USD1 to USDT could be blocked for an unknown length of time, making user funds only accessible via external markets. While this impact depends on some mismanagement of the reserves, the risk should not exist at all especially in the absence of the emergency settlement feature described in whitepaper (to perform automatic conversion of Unitas stablecoins to underlying assets in case of a total reserve ratio dropping to 100%).
Code Snippet
Tool used
Manual Review
Recommendation
Remove support for using minter reserves as a portfolio for revenue generation.
0x00ffDa
medium
Swap of USD1 to USDT can revert due to portfolio usage
Summary
Unitas has a stated invariant that swaps from Unitas tokens to underlying assets are always possible. However, a swap from USD1 to USDT can revert if minter reserve funds are sent to an external protocol for yield generation, the swap amount exceeds the Unitas contract's balance of USDT, and the attempt to cover the shortfall using the insurance pool fails. The risk that any minter would be unable to swap back to the underlying asset, even temporarily, contradicts the invariant.
Vulnerability Detail
The Unitas V1 Whitepaper states,
and
The Unitas contract holds the reserve of USDT from users who have minted USD1. A portion of that balance may be transferred to a portfolio manager via the
Unitas.sendPortfolio()function for the purpose of yield generation. If this is done, the remaining immediately available reserves will not provide 1:1 backing of USDT for USD1 and the system will rely on the insurance pool to cover a shortfall during a swap.If the immediately available insurance pool USDT balance is insufficient to cover a shortfall during withdrawal of USDT (due to either a lapse in manual management of the insurance pool, or due to insurance pool funds not immediately accessible because they've also been supplied to a portfolio manager), then the transfer from the insurance pool to minter reserves will revert causing the swap to USDT to fail.
Hence, the support for portfolio usage from the reserve pool is inconsistent with the protocol's fundamental guarantee that swaps from Unitas tokens to underlying assets are always possible.
Impact
This issue poses a reputational risk to the Unitas protocol because users have no advance knowledge of how or when deposited USDT funds could be transferred to a portfolio manager and no longer be immediately available for 1:1 backing of USD1. Therefore, they are not likely to trust the stated guarantee of supporting "unrestricted and unconditional conversion of its unitized stablecoins back to USD-pegged stablecoins." This impact does not depend on any actual mismanagement of the reserves, but only the existence of functionality that permits the reserve of minter USDT to fall below the 1:1 backing level implied by the guarantee.
In the worst case, Unitas swaps from USD1 to USDT could be blocked for an unknown length of time, making user funds only accessible via external markets. While this impact depends on some mismanagement of the reserves, the risk should not exist at all especially in the absence of the emergency settlement feature described in whitepaper (to perform automatic conversion of Unitas stablecoins to underlying assets in case of a total reserve ratio dropping to 100%).
Code Snippet
Tool used
Manual Review
Recommendation
Remove support for using minter reserves as a portfolio for revenue generation.
Duplicate of #95