getOwnValuation() of the USSDRebalancer is easily manipulated (Uniswap V3 spot price)
Summary
USSDRebalancer doesn't use a Chainlink oracle or a TWAP oracle to compute the DAI/USDD price. It is easy for an attacker to manipulate the price in order to trigger a rebalance.
Vulnerability Detail
Rebalances are based on getOwnValuation() value. This value is based on Uniswap slot0.
slot0 is the most recent data point and can easily be manipulated.
/// @dev get price estimation to DAI using pool address and uniswap price
function getOwnValuation() public view returns (uint256 price) {
(uint160 sqrtPriceX96, , , , , , ) = uniPool.slot0();
if (uniPool.token0() == USSD) {
price =
((uint(sqrtPriceX96) * (uint(sqrtPriceX96))) / (1e6)) >>
(96 * 2);
} else {
price =
(uint(sqrtPriceX96) *
(uint(sqrtPriceX96)) *
(1e18)) /* 1e12 + 1e6 decimal representation */ >>
(96 * 2);
// flip the fraction
price = (1e24 / price) / 1e12;
}
}
SensoYard
high
getOwnValuation() of the USSDRebalancer is easily manipulated (Uniswap V3 spot price)
Summary
USSDRebalancer doesn't use a Chainlink oracle or a TWAP oracle to compute the DAI/USDD price. It is easy for an attacker to manipulate the price in order to trigger a rebalance.
Vulnerability Detail
Rebalances are based on
getOwnValuation()value. This value is based on Uniswapslot0. slot0 is the most recent data point and can easily be manipulated.https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/USSDRebalancer.sol#L93
Impact
The rebalance will happen based on a wrong valuation and the protocol will lose fund.
Code Snippet
Tool used
Manual Review
Recommendation
If possible, use the uniswap TWAP oracle
Duplicate of #451