search

sherlock-audit / 2023-12-ubiquity-judging

2 stars 2 forks source link

evmboi32 - Dollar token won't be pegged to 1 USD. #141

Closed sherlock-admin closed 7 months ago

sherlock-admin commented 8 months ago

evmboi32

high

Dollar token won't be pegged to 1 USD.

Summary

Incorrect target set for the Dollar token. Won't be pegged to $1.

Vulnerability Detail

The price of the Dollar token is pegged to the value of 13CRV token from the DAI/USDC/USDT pool. But currently, the 3CRV token is trading just below $1.03.

When minting or burning dollar tokens the contract uses the getDollarPriceUsd() function

require(
    getDollarPriceUsd() >= poolStorage.mintPriceThreshold,
    "Dollar price too low"
);
require(
    getDollarPriceUsd() <= poolStorage.redeemPriceThreshold,
    "Dollar price too high"
);

The function reads the price from the TWAP which returns the price of dollar tokens in DOLLAR TOKENS/3CRV TOKENS in the pool. So the goal is to peg the Dollar token to the 3CRV token which trades higher than $1.

function getDollarPriceUsd()
    internal
    view
    returns (uint256 dollarPriceUsd)
{
    // get Dollar price from Curve Metapool (18 decimals)
    uint256 dollarPriceUsdD18 = LibTWAPOracle.getTwapPrice();
    // convert to 6 decimals
    dollarPriceUsd = dollarPriceUsdD18
        .mul(UBIQUITY_POOL_PRICE_PRECISION)
        .div(1e18);
}

Marked as high as the goal of the protocol is to peg to 1 USD.

Impact

Dollar token won't be pegged to $1 but to $1.03 as the 3CRV token is worth ~$1.03

Code Snippet

https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L418-L421

https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L346-L349

https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L306

https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibTWAPOracle.sol#L161

https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibTWAPOracle.sol#L111-L122

https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibTWAPOracle.sol#L84-L97

Tool used

Manual Review

Recommendation

Adjust the targets according to the 3CRV price. The price can be obtained by calling get_virtual_price on the 3CRV pool located at the address 0xbEbc44782C7dB0a1A60Cb6fe97d0b483032FF1C7 on mainnet.

Duplicate of #59

sherlock-admin2 commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

Defining Ubiquitiy Dollar price based on LP price is protocol decision and seems fine

sherlock-admin2 commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

Defining Ubiquitiy Dollar price based on LP price is protocol decision and seems fine