USSDRebalancer.sol : flutterRatios is not used properly.
Summary
flutterRatios is not checked properly during SellUSSDBuyCollateral
Vulnerability Detail
function SellUSSDBuyCollateral() internal {
uint256 amount = IUSSD(USSD).balanceOf(USSD);
// sell for DAI then swap by DAI routes
uint256 daibought = 0;
if (uniPool.token0() == USSD) {
daibought = IERC20Upgradeable(baseAsset).balanceOf(USSD);
IUSSD(USSD).UniV3SwapInput(bytes.concat(abi.encodePacked(uniPool.token0(), hex"0001f4", uniPool.token1())), amount);
daibought = IERC20Upgradeable(baseAsset).balanceOf(USSD) - daibought; // would revert if not bought
} else {
daibought = IERC20Upgradeable(baseAsset).balanceOf(USSD);
IUSSD(USSD).UniV3SwapInput(bytes.concat(abi.encodePacked(uniPool.token1(), hex"0001f4", uniPool.token0())), amount);
daibought = IERC20Upgradeable(baseAsset).balanceOf(USSD) - daibought; // would revert if not bought
}
// total collateral portions
uint256 cf = IUSSD(USSD).collateralFactor();
uint256 flutter = 0;
for (flutter = 0; flutter < flutterRatios.length; flutter++) {
if (cf < flutterRatios[flutter]) {
break;
}
}
in order to buy the collateral, USSD sold. Above code snip shows that the collateral factor is compared with flutterRatios.
whether the comparison is < or >, contract still allows the operation.
Impact
During healthy position, rebalancing still happens.
0xpinky
medium
USSDRebalancer.sol : flutterRatios is not used properly.
Summary
flutterRatios is not checked properly during
SellUSSDBuyCollateralVulnerability Detail
in order to buy the collateral, USSD sold. Above code snip shows that the collateral factor is compared with flutterRatios. whether the comparison is < or >, contract still allows the operation.
Impact
During healthy position, rebalancing still happens.
Code Snippet
https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/USSDRebalancer.sol#L163C1-L184
Tool used
Manual Review
Recommendation
Refactor the codes and use the flutterRatios correctly.