Closed sherlock-admin closed 7 months ago
Correction, price deviation should be 0.01$ instead of 0.1$ which I assumed above, as mintPriceThreshold
allows deviation upto 0.01$. So practically loss can be around 10k.
1 comment(s) were left on this issue during the judging contest.
auditsea commented:
The issue describes that required collateral amount is not determined by Ubiquity Dollar price but by $1, I think it's protocol decision and it seems fine to stick Ubiquity Dollar price to $1
@pavlovcik @rndquu @gitcoindev
1 comment(s) were left on this issue during the judging contest.
auditsea commented:
The issue describes that required collateral amount is not determined by Ubiquity Dollar price but by $1, I think it's protocol decision and it seems fine to stick Ubiquity Dollar price to $1
I'm not sure if I'm fully understanding the vulnerability. However consider this intended mechanism design:
The system is designed to provide financial incentives for arbitrageurs to stabilize the token price.
Does that address this issue?
@blutorque
I don't understand the issue.
As far as I understand you provide the following example:
$1.1
This is expected behaviour since on "step 2" 1 mln of Dollar tokens are minted hence the Dollar token price goes from $1.1
to $1.00
.
The test (code snippet) is also not clear. Pls provide a test with malicious behaviour and expected one.
This only looks like a normal expected arbitrage and does not take in count other scenarios, also the user didn't provide an accurate proof on concept with out current mechanism because:
the user stated a comment in a variable:
uint256 dollarPrice = 1.1e6; // can't find a way to set price via twap
It will be impossible for us to fully determine an issue without providing a correct concept proof within our mechanism in this case fully setting a Price with the TWAP
lastly the profit looks normal due to market change and doesn't show the "EXTRA" tokens aside the profit
say there is no a liquidity disaster
blutorque
high
Theft of dollar token
Summary
Attacker can exploit the wrong accounting in
getDollarInCollateral
fn to pay less collateral than is needed.Vulnerability Detail
The issues lies in
getDollarInCollateral
fn, the way we use it withmintDollar
fn:To
mintDollar
, a user can specified collateralIndex, dollarAmount, etc. The fn internally usesgetDollarInCollateral
to determine how much collateral is needed to mint user-specified dollarAmount. Before this call, it ensures the dollar USD price is up to date(via callingLibTWAPOracle.update()
). However, it fails to convert the dollarAmount to the USD value of dollarAmount before passing it to thegetDollarInCollateral
fn.That means, if currently dollar price is at 1.1 usd/uad, an attacker can pay collateral worth 1mil USD to get 1mil uad(= 1mil x 1.1 USD), considering zero fees. Consequently, the attacker can pocket an extra $100k worth of dollar tokens.
Impact
Fund loss.
Code Snippet
Add test to
/packages/contracts/test/diamond/facets/UbiquityPoolFacet.t.sol
and runforge test --mt test_exploit -vv
Tool used
Manual Review
Recommendation
Fix it by converting dollarAmount to USD value of dollarAmount using
getDollarPriceUsd
into thegetDollarInCollateral
fn, https://github.com/sherlock-audit/2023-12-ubiquity/blob/d9c39e8dfd5601e7e8db2e4b3390e7d8dff42a8e/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L284-L294