TWAPOracleDollar3poolFacet contract owner can't set pool success by 1 wei attack

Summary

TWAPOracleDollar3poolFacet contract owner can't set pool success because wrong if statement.

Vulnerability Detail

When TWAPOracleDollar3poolFacet contract owner set pool by LibTWAPOracle.setPool function, it will judge whether IMetaPool(_pool).balances(0) ie equal to IMetaPool(_pool).balances(1) or not, if not equal, it will failed.

 uint256 _reserve0 = uint112(IMetaPool(_pool).balances(0));
uint256 _reserve1 = uint112(IMetaPool(_pool).balances(1));

// ensure that there's liquidity in the pair
require(_reserve0 != 0 && _reserve1 != 0, "TWAPOracle: NO_RESERVES");
// ensure that pair balance is perfect
require(_reserve0 == _reserve1, "TWAPOracle: PAIR_UNBALANCED");

Protocol deploy their own metapool by curve metapool factory and set the pool, but if malicious attacker transfer 1 wei _curve3CRVToken1 to the pool, the if statement will not pass, so owner can't set pool success forever.

Impact

Code Snippet

https://github.com/sherlock-audit/2023-12-ubiquity/blob/d9c39e8dfd5601e7e8db2e4b3390e7d8dff42a8e/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibTWAPOracle.sol#L45-L60

Tool used

vscode, Manual Review

Recommendation

Remove the require(_reserve0 == _reserve1, "TWAPOracle: PAIR_UNBALANCED"); statement in LibTWAPOracle.setPool function.

Duplicate of #14

sherlock-admin2 commented 10 months ago

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

The issue describes about DOSing setPool function by manipulating the Curve pool, but it's assumed that the Curve pool deployment, LP deposit, and setPool will be handled in one tx using multicall structure