XDZIBEC - Oracle Price Manipulation in MintDollar and redeemDollar Functions

[sherlock-admin]

XDZIBEC

high

Oracle Price Manipulation in MintDollar and redeemDollar Functions

Summary

See vulnerability details

Vulnerability Detail

• In the mintDollar function the vulnerability is arises from the reliance on a single oracle (LibTWAPOracle) for determining the dollar price when minting Ubiquity Dollars. If this oracle is compromised or reports inflated values, it could be exploited to mint more dollars than the collateral's true value. Here is the vulnerable part:

  /// @inheritdoc IUbiquityPool
  function mintDollar(
      uint256 collateralIndex,
      uint256 dollarAmount,
      uint256 dollarOutMin,
      uint256 maxCollateralIn
  ) external returns (uint256 totalDollarMint, uint256 collateralNeeded) {
      return
          LibUbiquityPool.mintDollar(
              collateralIndex,
              dollarAmount,
              dollarOutMin,
              maxCollateralIn
          );
  }

• here is an example for min function :
• in normal Condition: 1 ETH = $3,000 True Market Rate, Oracle Reports = $3,000.
• this is Manipulated Condition: Oracle Reports 1 ETH = $3,300 (10% Inflated). Attacker’s Action: Deposits 1 ETH as collateral to mint Ubiquity Dollars. the result is : Without Manipulation: Mints 3,000 Ubiquity Dollars. With Manipulation: Mints 3,300 Ubiquity Dollars.
• In the redeemDollar function the vulnerability is Similar to mintDollar, the redeemDollar function relies on the oracle for dollar pricing. A manipulated lower dollar value can lead to withdrawing more collateral than entitled. Here is the vulnerable part:

  /// @inheritdoc IUbiquityPool
  function redeemDollar(
      uint256 collateralIndex,
      uint256 dollarAmount,
      uint256 collateralOutMin
  ) external returns (uint256 collateralOut) {
      return
          LibUbiquityPool.redeemDollar(
              collateralIndex,
              dollarAmount,
              collateralOutMin
          );
  }

Here is an example: In normal Condition: 1 Ubiquity Dollar = $1 True Market Rate, Oracle Reports = $1. Manipulated Condition: Oracle Reports 1 Ubiquity Dollar = $0.90 (10% Deflated). Attacker’s Action: Redeems Ubiquity Dollars for ETH collateral. the result : Without Manipulation: Redeems $1,000 worth of Ubiquity Dollars for an equivalent amount of ETH. With Manipulation: Redeems $1,000 worth of Ubiquity Dollars for more ETH than it's worth.

Impact

• if an attacker can exploit this vulnerability it’s gone be able to manipulate the oracle to report higher prices for the collateral, leading to the minting of an excessive amount of Ubiquity Dollars and in the redeemDollar can lead to Loss of additional collateral from the pool

  Code Snippet

• https://github.com/sherlock-audit/2023-12-ubiquity/blob/d9c39e8dfd5601e7e8db2e4b3390e7d8dff42a8e/ubiquity-dollar/packages/contracts/src/dollar/facets/UbiquityPoolFacet.sol#L77-#L90
• https://github.com/sherlock-audit/2023-12-ubiquity/blob/d9c39e8dfd5601e7e8db2e4b3390e7d8dff42a8e/ubiquity-dollar/packages/contracts/src/dollar/facets/UbiquityPoolFacet.sol#L93-#L104

  Tool used

  Manual Review

  Recommendation

• It’s better to adding checks in the mintDollar function against multiple oracles.
• And for the redeemDollar function add Cross-validation with multiple oracle sources

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

1. Stablecoins like LUSD or DAI are used as collateral 2. TWAP is used as oracle to hedge price deviation

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

1. Stablecoins like LUSD or DAI are used as collateral 2. TWAP is used as oracle to hedge price deviation

[nevillehuang]

Invalid, this issue is stating how a TWAP can be maniplated but doesn't prove how it can. So this is just speculation and just stating a design improvemnt suggestion