search

sherlock-audit / 2023-07-blueberry-judging

2 stars 1 forks source link

0x52 - Stable BPT valuation is incorrect and can be exploited to cause protocol insolvency #97

Open sherlock-admin2 opened 1 year ago

sherlock-admin2 commented 1 year ago

0x52

high

Stable BPT valuation is incorrect and can be exploited to cause protocol insolvency

Summary

The current methodology for valuing Stable BPT is incorrect and can lead to significant over valuation of the stable BPT.

Vulnerability Detail

StableBPTOracle.sol#L48-L53

    uint256 minPrice = base.getPrice(tokens[0]);
    for(uint256 i = 1; i != length; ++i) {
        uint256 price = base.getPrice(tokens[i]);
        minPrice = (price < minPrice) ? price : minPrice;
    }
    return minPrice.mulWadDown(pool.getRate());

The above block is used to calculate the price. Finding the min price of all assets in the pool then multiplying by the current rate of the pool. This is nearly identical to how stable curve LP is priced. Balancer pools are a bit different and this methodology is incorrect for them. Lets look at a current mainnet pool to see the problem. Take the wstETH/aETHc pool. Currently getRate() = 1.006. The lowest price is aETHc at 2,073.23. This values the LP at 2,085.66. The issue is that the LPs actual value is 1,870.67 (nearly 12% overvalued) which can be checked here.

Overvaluing the LP as such can cause protocol insolvency as the borrower can overborrow against the LP, leaving the protocol with bad debt.

Impact

Protocol insolvency due to overborrowing

Code Snippet

https://github.com/sherlock-audit/2023-07-blueberry/blob/main/blueberry-core/contracts/oracle/StableBPTOracle.sol#L37-L54

Tool used

Manual Review

Recommendation

Stable BPT oracles need to use a new pricing methodology

sherlock-admin2 commented 1 year ago

2 comment(s) were left on this issue during the judging contest.

0xyPhilic commented:

invalid because there is no sufficient data/explanations to support the explained issue

Kral01 commented:

only an issue if the protocol uses this LP pair

IAm0x52 commented 1 year ago

Escalate

This is not a dupe of #100. Though it focuses on a similar area of the code, the underlying issue is completely different. StableBPT is value highly incorrectly for some pools and it will cause significant damage to the protocol.

sherlock-admin2 commented 1 year ago

Escalate

This is not a dupe of #100. Though it focuses on a similar area of the code, the underlying issue is completely different. StableBPT is value highly incorrectly for some pools and it will cause significant damage to the protocol.

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

Shogoki commented 1 year ago

ing the LP as such can cause protocol insolvency as the borrower can overborrow against the LP, leaving the protocol with bad debt.

Yes, not a duplicate of #100 @Gornutz can you take a look at this?

Gornutz commented 1 year ago

Confirm this is not a duplicate of #100

hrishibhat commented 1 year ago

Result: High Unique Considering this a valid high issue as the wrong price is calculated and returned

sherlock-admin2 commented 1 year ago

Escalations have been resolved successfully!

Escalation status: