search

sherlock-audit / 2023-12-ubiquity-judging

2 stars 2 forks source link

infect3d - Wrong rouding direction in mintDollar make it possible to mint Dollars against 0 collateral #178

Closed sherlock-admin2 closed 7 months ago

sherlock-admin2 commented 8 months ago

infect3d

medium

Wrong rouding direction in mintDollar make it possible to mint Dollars against 0 collateral

Summary

Vulnerability Detail

The getDollarInCollateral(uint256 collateralIndex, uint256 dollarAmount) function round down the value, and is used in both the mintDollar and redeemDollar functions.

While its a correct implementation in the redeemDollar, it is not for the mintDollar as it make it possible for a user to mint Dollar tokens against 0 of his collateral due to the rounding down of the collateralNeeded result.

File: src\dollar\libraries\LibUbiquityPool.sol
284:     function getDollarInCollateral(
285:         uint256 collateralIndex,
286:         uint256 dollarAmount
287:     ) internal view returns (uint256) {
288:         UbiquityPoolStorage storage poolStorage = ubiquityPoolStorage();
289:         return
290:             dollarAmount // if dollarAmount exponent is less than missingDecimal return 0
291:                 .mul(UBIQUITY_POOL_PRICE_PRECISION) //1e6
292:                 .div(10 ** poolStorage.missingDecimals[collateralIndex])
293:                 .div(poolStorage.collateralPrices[collateralIndex]); //1e6 
294:     }

This can though only happen with collateral with decimals <18, and these kind of tokens seems expected in the future as there's a parameter dedicated for that

Impact

Leak of value for the pool, that will add up over time. The last user of the pool will not be able to redeem its whole balance (user could also be a smart-contract always redeeming the exact balance it minted)

Code Snippet

https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#293 https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#355

Tool used

Manual Review

Recommendation

Round up as it is expected for such operations, or ensure that collateralNeeded > 0 when minting

Duplicate of #7

sherlock-admin2 commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

$1e-6 can be freely minted, can't even compensate gas

sherlock-admin2 commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

$1e-6 can be freely minted, can't even compensate gas