search

sherlock-audit / 2023-12-ubiquity-judging

2 stars 2 forks source link

evmboi32 - Calling `collateralUsdBalance()` can return the wrong value. #139

Closed sherlock-admin closed 7 months ago

sherlock-admin commented 8 months ago

evmboi32

medium

Calling collateralUsdBalance() can return the wrong value.

Summary

Calling collateralUsdBalance() can return the wrong value.

Vulnerability Detail

Calling the collateralUsdBalance() won't update the collateral price by reading the latest data from chainlink oracle. This could lead to the discrepancy and return incorrect stale data.

function collateralUsdBalance()
    internal
    view
    returns (uint256 balanceTally)
{
    UbiquityPoolStorage storage poolStorage = ubiquityPoolStorage();
    uint256 collateralTokensCount = poolStorage.collateralAddresses.length;
    balanceTally = 0;

    for (uint256 i = 0; i < collateralTokensCount; i++) {
        balanceTally += freeCollateralBalance(i)        
            .mul(10 ** poolStorage.missingDecimals[i]) 
            .mul(poolStorage.collateralPrices[i])      
            .div(UBIQUITY_POOL_PRICE_PRECISION);        
    }
}

Impact

External contracts relying on the usd balance of collateral available in the UbiquidityPool can receive wrong info as the prices could be stale.

Code Snippet

https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L247-L261

Tool used

Manual Review

Recommendation

Update the price before calculating the value of the collateral.

function collateralUsdBalance()
    internal
    view
    returns (uint256 balanceTally)
{
    UbiquityPoolStorage storage poolStorage = ubiquityPoolStorage();
    uint256 collateralTokensCount = poolStorage.collateralAddresses.length;
    balanceTally = 0;

    for (uint256 i = 0; i < collateralTokensCount; i++) {
+       updateChainLinkCollateralPrice(i);
        balanceTally += freeCollateralBalance(i)    
            .mul(10 ** poolStorage.missingDecimals[i]) 
            .mul(poolStorage.collateralPrices[i])       
            .div(UBIQUITY_POOL_PRICE_PRECISION);        
    }
}

Duplicate of #195

sherlock-admin2 commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

The price of collaterals are updated before mint/redeem, so it's guaranteed not being stale

sherlock-admin2 commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

The price of collaterals are updated before mint/redeem, so it's guaranteed not being stale