search

sherlock-audit / 2023-11-olympus-judging

9 stars 7 forks source link

ge6a - getBunniTokenPrice wrongly returns the total price of all tokens #198

Open sherlock-admin2 opened 6 months ago

sherlock-admin2 commented 6 months ago

ge6a

high

getBunniTokenPrice wrongly returns the total price of all tokens

Summary

The function getBunniTokenPrice() is supposed to return the price of 1 Bunni token (1 share) like all other feeds, but it doesn't. It returns the total price of all minted tokens/shares for a specific pool (total value of position's reserves) which is wrong.

Vulnerability Detail

This happens because the totalValue on line 163 is not devided by the total tokens supply.

https://github.com/sherlock-audit/2023-11-olympus/blob/main/bophades/src/modules/PRICE/submodules/feeds/BunniPrice.sol#L110-L166

Impact

The function getBunniTokenPrice always returns wrong price. This would impact the operation of the RBS module. For instance, using the wrong price during a swap may lead to financial losses for the protocol.

Code Snippet

https://github.com/sherlock-audit/2023-11-olympus/blob/main/bophades/src/modules/PRICE/submodules/feeds/BunniPrice.sol#L110-L166

Tool used

Manual Review

Recommendation

Devide totalValue by the total tokens supply.

0xrusowsky commented 6 months ago

https://github.com/OlympusDAO/bophades/pull/244

IAm0x52 commented 5 months ago

Fix looks good. Token price is now normalized to get price per token.