Closed sherlock-admin2 closed 7 months ago
sherlock-admin2
commented
7 months ago 1 comment(s) were left on this issue during the judging contest.
auditsea commented:
Defining Ubiquitiy Dollar price based on LP price is protocol decision and seems fine
sherlock-admin2
commented
7 months ago 1 comment(s) were left on this issue during the judging contest.
auditsea commented:
Defining Ubiquitiy Dollar price based on LP price is protocol decision and seems fine
ilchovski
high
Incorrect pricing of the Dollar token
Summary
Dollar token is priced in 3CRV liquidity pool tokens instead of USD.
Vulnerability Detail
The protocol decides when to allow/forbid users to mint/burn Dollar tokens based on how much 3CRV liquidity pool tokens 1 Dollar token can get by intending control the price of the Dollar token to be 1 USD. Unfortunately historically the 3CRV liquidity pool token fluctuates in price in comparison to USD and is not an accurate metric.
Impact
Protocol allow/forbid users to mint/burn Dollar tokens based on incorrect metric of USD.
Code Snippet
https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L347C22-L347C22
https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L300
Tool used
Manual Review
Recommendation
This really depends on the protocol's strategy to decide how this issue should be resolved. For example, the team could decide to create their own price feed, maintain it and average out the exchange rate of the token from different number of pools/pairs of tokens that are pegged to the USD like DAI etc in order to have more stability and less risk of price manipulation.
Duplicate of #59