Closed sherlock-admin closed 6 months ago
1 comment(s) were left on this issue during the judging contest.
nirohgo commented:
Invalid because inspite of the observation being corrent there is no viable scenario where this would cause a meterial loss of funds. This would only affect the appraiser metrics with regards to non-pol bunnyToken funds held in the treasury (see _backing() function) and skew the value by univ3 fees that were not yet collected (way below 1% in most cases) plus any inaccuracy would be smooth potentially by use of additional feeds and moving average.
tvdung94
high
BunniPrice::_getBunniReserves() does not add uncollected fee into total value calculation
Summary
BunniPrice::_getBunniReserves() does not add uncollected fee into total value calculation.
Vulnerability Detail
A bunni token is an erc20 token representing a uniswapv3 position with specific range. When the price enters this range, the position will get reward (uncollected fee). The fee is separated from the position, so it needs to be manually added to total value.
Impact
Incorrect reserve amount, since fee is not accounted into total value.
Code Snippet
https://github.com/sherlock-audit/2023-11-olympus/blob/main/bophades/src/modules/PRICE/submodules/feeds/BunniPrice.sol#L192-L207
Tool used
Manual Review
Recommendation
Consider add fee into calculation
Duplicate of #37