search

sherlock-audit / 2023-12-ubiquity-judging

2 stars 2 forks source link

Drynooo - There may be room for arbitrage beyond poolCeiling #151

Closed sherlock-admin closed 5 months ago

sherlock-admin commented 6 months ago

Drynooo

medium

There may be room for arbitrage beyond poolCeiling

Summary

When minting coins, there is room for arbitrage due to the price difference with the market. And because AMO can lend collateral, the arbitrage space can exceed the limit of poolCeiling.

Vulnerability Detail

  1. When the price of USD in curve is greater than 1.01, you can mint coins through the mintDollar function. At this time, mints are minted at a price of 1. So there is some room for arbitrage.
  2. The upper limit of minting will limit the collateral to poolCeiling. But when AMO borrows the collateral from the contract, the balance in the contract will decrease, which is equivalent to the upper limit of the coins that users can mint. To sum up the above two points, AMO borrowing collateral will give users more arbitrage space.

Pool ceiling will be affected by current balance

        require(
            freeCollateralBalance(collateralIndex).add(collateralNeeded) <=
                poolStorage.poolCeilings[collateralIndex],
            "Pool ceiling"
        );

freeCollateralBalance

    function freeCollateralBalance(
        uint256 collateralIndex
    ) internal view returns (uint256) {
        UbiquityPoolStorage storage poolStorage = ubiquityPoolStorage();
        return
            IERC20(poolStorage.collateralAddresses[collateralIndex])
                .balanceOf(address(this))
                .sub(poolStorage.unclaimedPoolCollateral[collateralIndex]);
    }

mint at price 1

    function getDollarInCollateral(
        uint256 collateralIndex,
        uint256 dollarAmount
    ) internal view returns (uint256) {
        UbiquityPoolStorage storage poolStorage = ubiquityPoolStorage();
        return
            dollarAmount
                .mul(UBIQUITY_POOL_PRICE_PRECISION)
                .div(10 ** poolStorage.missingDecimals[collateralIndex])
                .div(poolStorage.collateralPrices[collateralIndex]);
    }

When AMO returns the collateral, the amount of collateral in the contract may exceed the Pool ceiling.

Impact

This creates a larger arbitrage space, and users can profit from arbitrage. Moreover, it also affects the issuance quantity of USD to a certain extent.

Code Snippet

Tool used

Manual Review

Recommendation

It is recommended to record the amount borrowed by AMO and take it into consideration when verifying the Pool ceiling.

Duplicate of #174

sherlock-admin2 commented 5 months ago

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

Based on how many tokens are minted and borrowed, the poolCeiling can be controlled by admin

sherlock-admin2 commented 5 months ago

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

Based on how many tokens are minted and borrowed, the poolCeiling can be controlled by admin