Perennial uses $USD proxies (i.e. USDC/DSU) as collateral and assumes the price of these assets is $1.
function _handleWrap(address receiver, UFixed18 amount) internal {
// If the batcher is 0 or doesn't have enough for this wrap, go directly to the reserve
if (address(batcher) == address(0) || amount.gt(DSU.balanceOf(address(batcher)))) {
reserve.mint(amount);
if (receiver != address(this)) DSU.push(receiver, amount);
} else {
// Wrap the USDC into DSU and return to the receiver
batcher.wrap(amount, receiver);
}
}
/**
* @notice Helper function to unwrap `amount` DSU into USDC and send to `receiver`
* @param receiver Address to receive the USDC
* @param amount Amount of DSU to unwrap
*/
function _handleUnwrap(address receiver, UFixed18 amount) internal {
// If the batcher is 0 or doesn't have enough for this unwrap, go directly to the reserve
if (address(batcher) == address(0) || amount.gt(USDC.balanceOf(address(batcher)))) {
reserve.redeem(amount);
if (receiver != address(this)) USDC.push(receiver, amount);
} else {
// Unwrap the DSU into USDC and return to the receiver
batcher.unwrap(amount, receiver);
}
}
This assumption will be broken in the case of depegs which have been shown to occur in the past. Depegs could lead to various effects including the devaluing of collateral.
Malicious users can take advantage during depeg events to profit through vectors such as liquidations.
The risk is more so evident for the balanced vault whose deposit and redeem functions don't have pause functionality.
levi
medium
USDC
depeg risk will affect collateralSummary
USDC
depeg risk will affect collateral.Vulnerability Detail
Perennial uses $USD proxies (i.e. USDC/DSU) as collateral and assumes the price of these assets is $1.
This assumption will be broken in the case of depegs which have been shown to occur in the past. Depegs could lead to various effects including the devaluing of collateral.
Malicious users can take advantage during depeg events to profit through vectors such as liquidations.
The risk is more so evident for the balanced vault whose deposit and redeem functions don't have pause functionality.
Impact
Devaluation of collateral can be exploited.
Code Snippet
https://github.com/sherlock-audit/2023-05-perennial/blob/main/perennial-mono/packages/perennial/contracts/multiinvoker/MultiInvoker.sol#L352-L377
Tool used
Manual Review
Recommendation
Ensure measures are in place to handle depegs e.g add pause functionality to deposit and redeem functionality in the balanced vault.