search

sherlock-audit / 2023-12-ubiquity-judging

2 stars 2 forks source link

Bauer - Possible arbitrage from Chainlink price discrepancy #150

Closed sherlock-admin2 closed 6 months ago

sherlock-admin2 commented 6 months ago

Bauer

high

Possible arbitrage from Chainlink price discrepancy

Summary

The protocol calculates the amount of collateral based on Chainlink quotes, and Chainlink quotes are not real-time, which introduces deviations. This creates an arbitrage opportunity.

Vulnerability Detail

Currently UBIQUITY relies on the following chainlink price feeds in order to calculate LUSD / USD exchange rate: # Price Feed Deviation Heartbeat
1 LUSD / USD 1% 3600s
2 DAI / USD 0.25% 3600s

As we can see, an acceptable deviation for LUSD / USD price feed is about [-1% 1%], meaning that the nodes will not update an on-chain price, in case the boundaries are not reached within the 24h period. These deviations are significant enough to open an arbitrage opportunities which will impact an overall LUSD / USD exchange rate badly.

As we can see, an acceptable deviation for LUSD / USD price feed is about [-1% 1%], meaning that the nodes will not update an on-chain price, in case the boundaries are not reached within the 24h period. These deviations are significant enough to open an arbitrage opportunities which will impact an overall LUSD / USD exchange rate badly. In the mintDollar() function, the protocol calculates the required collateralNeeded using dollarAmount/collateralPrices. 

    function getDollarInCollateral(
        uint256 collateralIndex,
        uint256 dollarAmount
    ) internal view returns (uint256) {
        UbiquityPoolStorage storage poolStorage = ubiquityPoolStorage();
        return
            dollarAmount
                .mul(UBIQUITY_POOL_PRICE_PRECISION)
                .div(10 ** poolStorage.missingDecimals[collateralIndex])
                .div(poolStorage.collateralPrices[collateralIndex]);
    }

Similarly, in the redeemDollar() function, it calculates collateralOut for the user using the same method. If the collateral price is at its maximum (+1%) during mintDollar() and at its minimum (-1%) during redeemDollar(), an arbitrage opportunity arises.

Impact

Code Snippet

https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L355

Tool used

Manual Review

Recommendation

I was thinking about utilizing multiple price oracles, which could potentially close any profitable opportunities

Duplicate of #72

sherlock-admin2 commented 6 months ago

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

REF #080

sherlock-admin2 commented 6 months ago

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

REF #080