search

sherlock-audit / 2023-12-ubiquity-judging

2 stars 2 forks source link

ilchovski - Protocol incorrectly calculates how much collateral is needed for minting Dollar tokens #146

Closed sherlock-admin2 closed 10 months ago

sherlock-admin2 commented 10 months ago

ilchovski

high

Protocol incorrectly calculates how much collateral is needed for minting Dollar tokens

Summary

Protocol falsely assumes that 1 Dollar is always 1 USD when calculating needed collateral amount during when minting new Dollar tokens.

Vulnerability Detail

Inside LibUbiquityPool.sol:getDollarInCollateral doesn't take into consideration the price of the Dollar token in USD but only its amount. Essentially the calculations says:

  function test_collateralCalc() public {
        uint256 dollarAmount = 2e18; // 2 Dollar
        uint256 UBIQUITY_POOL_PRICE_PRECISION = 1e6;
        uint256 LUSD_missingDecimals = 0;
        uint256 LUSD_pricePerOneTokenInUSD = 1e6; // 1 USD

        uint256 neededCollateral = dollarAmount * UBIQUITY_POOL_PRICE_PRECISION / 10 ** LUSD_missingDecimals / LUSD_pricePerOneTokenInUSD;

        assertEq(neededCollateral, 2e18);
    }

Impact

If the Dollar token costs 0.9 USD users will pay 1 USD in collateral value per token. Additionally in the mintDollar function there is a fee that decreases the dollar amount that is minted to the user further, essentially overcharging the user. Undercharging also happens when 1 Dollar is 1.1 USD in value, then for each Dollar token protocol will get only 1 USD of collateral value (without taking fees into consideration here).

Code Snippet

https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L355C10-L355C10

https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L284

Tool used

Manual Review

Recommendation

Instead of dollar amount UBIQUITY_POOL_PRICE_PRECISION use dollarAmount dollarPricePerTokenInUSD in the calculation.

Duplicate of #157

sherlock-admin2 commented 10 months ago

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

The issue describes that required collateral amount is not determined by Ubiquity Dollar price but by $1, I think it's protocol decision and it seems fine to stick Ubiquity Dollar price to $1

sherlock-admin2 commented 10 months ago

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

The issue describes that required collateral amount is not determined by Ubiquity Dollar price but by $1, I think it's protocol decision and it seems fine to stick Ubiquity Dollar price to $1