Open sherlock-admin2 opened 1 year ago
2 comment(s) were left on this issue during the judging contest.
0xyPhilic commented:
invalid because there is no sufficient data/explanations to support the explained issue
Kral01 commented:
only an issue if the protocol uses this LP pair
Escalate
This is not a dupe of #100. Though it focuses on a similar area of the code, the underlying issue is completely different. StableBPT is value highly incorrectly for some pools and it will cause significant damage to the protocol.
Escalate
This is not a dupe of #100. Though it focuses on a similar area of the code, the underlying issue is completely different. StableBPT is value highly incorrectly for some pools and it will cause significant damage to the protocol.
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
ing the LP as such can cause protocol insolvency as the borrower can overborrow against the LP, leaving the protocol with bad debt.
Yes, not a duplicate of #100 @Gornutz can you take a look at this?
Confirm this is not a duplicate of #100
Result: High Unique Considering this a valid high issue as the wrong price is calculated and returned
0x52
high
Stable BPT valuation is incorrect and can be exploited to cause protocol insolvency
Summary
The current methodology for valuing Stable BPT is incorrect and can lead to significant over valuation of the stable BPT.
Vulnerability Detail
StableBPTOracle.sol#L48-L53
The above block is used to calculate the price. Finding the min price of all assets in the pool then multiplying by the current rate of the pool. This is nearly identical to how stable curve LP is priced. Balancer pools are a bit different and this methodology is incorrect for them. Lets look at a current mainnet pool to see the problem. Take the wstETH/aETHc pool. Currently getRate() = 1.006. The lowest price is aETHc at 2,073.23. This values the LP at 2,085.66. The issue is that the LPs actual value is 1,870.67 (nearly 12% overvalued) which can be checked here.
Overvaluing the LP as such can cause protocol insolvency as the borrower can overborrow against the LP, leaving the protocol with bad debt.
Impact
Protocol insolvency due to overborrowing
Code Snippet
https://github.com/sherlock-audit/2023-07-blueberry/blob/main/blueberry-core/contracts/oracle/StableBPTOracle.sol#L37-L54
Tool used
Manual Review
Recommendation
Stable BPT oracles need to use a new pricing methodology