The TWAP oracle uses 3CRV which is not exactly pegged to $1.00

Summary

The TWAP oracles uses the Ubiquity Dollar/3CRV metapool to track the price of the Ubiquity Dollar. The problem here is that the 3CRV is currently pegged to ~$1.03 which will cause the Ubiquity Dollar to also be ~$1.03.

Vulnerability Detail

Because there isnt a Chainlink feed for uAD, a Curve TWAP oracle must be used which relies on the uAD/3CRV metapool. The price of 3CRV is currently ~$1.03 so the price of the uAD will also be ~$1.03 when the pool is balanced.

Because the price of the uAD is supposed to be exactly $1.00 the metapool will be slightly unbalanced which will make the TWAP return inaccurate prices and will cause problems in the Ubiquity Pool where the price to mint or redeem must not be lower or bigger than the thresholds.

Impact

The price returned by the oracle will not be accurate and will cause problems for example users will be unable to mint or redeem in the Ubiquity Pool

Code Snippet

https://github.com/sherlock-audit/2023-12-ubiquity/blob/d9c39e8dfd5601e7e8db2e4b3390e7d8dff42a8e/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibTWAPOracle.sol#L111

require(
         getDollarPriceUsd() >= poolStorage.mintPriceThreshold,
         "Dollar price too low"
);

As you can see in LibUbiquityPool.sol there are thresholds which check if the price is equal to $1.00, if the oracle does not return exactly $1.00 users can fail to mint or redeem

Tool used

Manual Review

Recommendation

The easiest solution here would be to use a pool with a different stablecoin that is actually $1.00

Duplicate of #59

sherlock-admin2 commented 10 months ago

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

Based on the situation and pool token price, the threasholds can be adjusted