Closed sherlock-admin2 closed 7 months ago
1 comment(s) were left on this issue during the judging contest.
auditsea commented:
The protocol will deploy new Curve metapool with adjusted token amounts as liquidity
1 comment(s) were left on this issue during the judging contest.
auditsea commented:
The protocol will deploy new Curve metapool with adjusted token amounts as liquidity
b0g0
medium
User can mint dollars even if the price is beyond the mintPriceThreshold
Summary
LibUbiquityPool.mintDollar()
includes the following check:The idea of
mintPriceThreshold
is to prevent mints at prices that wouldn't be acceptable to the protocol. However any mints that occur in the same block that a pool gets set will bypass that check.Vulnerability Detail
Before the check for
poolStorage.mintPriceThreshold
is madeLibTWAPOracle.update()
is called so that the latest price get's fetched fromTWAPOracle
. This is the function for updating the price:It's important to notice here that the price is updated only if an update was not made in the same block already ->
if (blockTimestamp - ts.pricesBlockTimestampLast > 0)
When a pool is being set in the oracle, the
ts.pricesBlockTimestampLast
is set to the latest recorded twap timestamp and prices are hardcoded to 1 ether:This means that for the duration of that block no more price updates will happen and dollar price will be 1$ regardless of the real price(which is actually around 1.34$ according to the current Curve pool).
This means that the update before the check for
poolStorage.mintPriceThreshold
inmintDollar
will not do anything and the price returned will be 1$ (instead the real one 1.34).So an advantageous user/bot might monitor the pool for the
setPool()
transaction and mint quite a big amount of dollar tokens at a discounted rate. After that he can swap those tokens in the Curve pool and profit from the difference 0.34 "cents" per Dollar.Considering the pool itself has low liquidity of 40K, this might distort the prices heavily. I'm quoting a comment from the sponsors provided in the
Audit List
document underThings to double-check
:"Check that LibTWAPOracle updates average prices correctly. The old Curve's metapool (which we plan to redeploy) has 40k Dollars in liquidity so we should make sure that it's hard to manipulate Curve's TWAP with 40k of liquidity which is pretty low."
Impact
Advantageous parties can mint dollars at discounted prices and possibly affect the prices the Curve pool if enough tokens are minted.
Code Snippet
https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L344-L348 https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibTWAPOracle.sol#L68 https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibTWAPOracle.sol#L52-L58
Tool used
Manual Review
Recommendation
Consider restricting minting for the first couple of block after the pool is set so that there is enough time for the prices to update.
Duplicate of #20