0xpinky - USSDRebalancer.sol#L109 : BuyUSSDSellCollateral does not check whether valid amount of DAI is obtained during swapping

[sherlock-admin]

0xpinky

high

USSDRebalancer.sol#L109 : BuyUSSDSellCollateral does not check whether valid amount of DAI is obtained during swapping

Summary

without checking the valid amount of DAI is swapped, contract is burning the USSD tokens.

Vulnerability Detail

During rebalance, when USSD wants to bought by swapping the collateral, contract calls the BuyUSSDSellCollateral.

At the end of function, contract burns the contract's USSD balance.

below code snippet shows the swapping of USSD for DAI. It does the operation only DAItosell > 0.

  if (DAItosell > 0) {
    if (uniPool.token0() == USSD) {
        IUSSD(USSD).UniV3SwapInput(bytes.concat(abi.encodePacked(uniPool.token1(), hex"0001f4", uniPool.token0())), DAItosell);
    } else {
        IUSSD(USSD).UniV3SwapInput(bytes.concat(abi.encodePacked(uniPool.token0(), hex"0001f4", uniPool.token1())), DAItosell);
    }
  }

   IUSSD(USSD).burnRebalancer(IUSSD(USSD).balanceOf(USSD)); --------------->>> audit find

Burning happens outside the if condition.

Impact

When there is no collected, contract burns the USSD token. This would unnecessary loss.

The situation could be either failure for swapping which could result in unavailable of router for quite some time or some other reason.

Code Snippet

https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/USSDRebalancer.sol#L109-L161

Tool used

Manual Review

Recommendation

Update the codes as shown below

  if (DAItosell > 0) {

    IUSSD(USSD).burnRebalancer(IUSSD(USSD).balanceOf(USSD)); ------------------------->>> updated.
    if (uniPool.token0() == USSD) {
        IUSSD(USSD).UniV3SwapInput(bytes.concat(abi.encodePacked(uniPool.token1(), hex"0001f4", uniPool.token0())), DAItosell);
    } else {
        IUSSD(USSD).UniV3SwapInput(bytes.concat(abi.encodePacked(uniPool.token0(), hex"0001f4", uniPool.token1())), DAItosell);
    }
  }