cducrest-brainbot - Protocol may become insolvent

[sherlock-admin2]

cducrest-brainbot

medium

Protocol may become insolvent

Summary

The function to mint and redeem dollar takes/sends collateral from/to the user based on collateral price. If collateral price fluctuates in between a mint and a redeem, the contract may need to send more collateral than it owns. If the user redeems as much as the protocol owns, the remaining Ubiquity dollar's value is backed by no collateral.

Vulnerability Detail

The mint dollar function does the following:

• requires dollar price > mintThreshold (e.g. 1.01)
• calculate x collateral worth of y USD based on collateral price (y input)
• take x collateral from user
• send y Ubiquity dollar to user

Burn dollar:

• requires dollar price < burnThreshold (e.g. 0.99)
• calculate x collateral worth of y USD based on collateral price (y input)
• send x collateral to user (via a redeem delay)
• take y Ubiquity dollar from user

Imagine the following:

• DAI price is 1 USD, Ubiquity price is 1.01 USD
• user mints 1 Ubiquity dollar for 1 DAI
• DAI price drops to 0.99 USD, Ubiquity price drops to 0.99 USD
• user redeems 1 Ubiquity dollar for 1/0.99 =~ 1.0101 DAI
• the contract does not own the DAI and the transaction reverts
• user redeems 0.99 Ubiquity for 1 DAI
• The remaining 0.01 Ubiquity is not backed by any collateral

Impact

Anyone can leverage the fluctuating price of collateral to lower the amount of collateral backing ubiquity dollars over time. Users that own Ubiquity dollars may not be able to redeem any collateral. The value of Ubiquity dollar will eventually crash when people realize they are not backed by anything so the mint/redeem mechanism is no longer useful to maintain a stable price.

Code Snippet

https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L326-L386

https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L399-L465

Tool used

Manual Review

Recommendation

Only take excess collateral from the user and and send restraint amount of collaterals on redeem. For example only allow minting by depositing DAI if DAI price is above 1 USD and mint 1 Ubiquity dollar per deposited DAI. Allow redeem in DAI only if DAI price is below 1 and burn 1 Ubiquity dollar per redeemed DAI.

Users will only mint Ubiquity dollar if it is worth more than DAI so they are still incentivized. Users will burn Ubiquity dollar only if Ubiquity dollar price is below DAI price, they are still incentivized.

The protocol would no longer run out of collateral and cannot reach a state where Ubiquity dollars are not backed by any collateral.

Duplicate of #17

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

The issue describes about the protocol insolvancy in case of collateral depeg. It's not avoidable, that's why the protocol has borrowing function to get yield, take fees on mint and redeem, these features will hedge the risk from protocol insolvancy

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

The issue describes about the protocol insolvancy in case of collateral depeg. It's not avoidable, that's why the protocol has borrowing function to get yield, take fees on mint and redeem, these features will hedge the risk from protocol insolvancy

[cducrest]

Escalate

This issue is wrongfully marked as duplicate of https://github.com/sherlock-audit/2023-12-ubiquity-judging/issues/17. https://github.com/sherlock-audit/2023-12-ubiquity-judging/issues/17 shows how a depeg of a collateral will impact uAD's price while this issue explains how collateral can be extracted from the protocol even when collateral prices vary slimly (tiny price difference above or below 1$ that always naturally occur, contrary to full depeg).

Specifically, this issue explains how the protocol may become insolvent due to this extraction of collateral by users, and how in the long term there will be uADs that are not backed by any collateral.

[sherlock-admin2]

Escalate

This issue is wrongfully marked as duplicate of https://github.com/sherlock-audit/2023-12-ubiquity-judging/issues/17. https://github.com/sherlock-audit/2023-12-ubiquity-judging/issues/17 shows how a depeg of a collateral will impact uAD's price while this issue explains how collateral can be extracted from the protocol even when collateral prices vary slimly (tiny price difference above or below 1$ that always naturally occur, contrary to full depeg).

Specifically, this issue explains how the protocol may become insolvent due to this extraction of collateral by users, and how in the long term there will be uADs that are not backed by any collateral.

The escalation could not be created because you are not exceeding the escalation threshold.

You can view the required number of additional valid issues/judging contest payouts in your Profile page, in the Sherlock webapp.

[Czar102]

Based on other comments revolving around this: https://github.com/sherlock-audit/2023-12-ubiquity-judging/issues/72#issuecomment-1914433231

From my understanding, the system experiences a profit, not a loss, on a cycle of mints and redeems.

If that's not contested, this submission is invalid.

[cducrest]

I don't believe the system experiences a profit. The pointed issue https://github.com/sherlock-audit/2023-12-ubiquity-judging/issues/72 states the attack can occur via a sandwich of chainlink's oracle updates. This issue describes the insolvency of the protocol (pointed out by multiple comments https://github.com/sherlock-audit/2023-12-ubiquity-judging/issues/72#issuecomment-1907827885, https://github.com/sherlock-audit/2023-12-ubiquity-judging/issues/72#issuecomment-1910609063, https://github.com/sherlock-audit/2023-12-ubiquity-judging/issues/72#issuecomment-1912475498) which is a real issue.

Taking into consideration the mentioned scenario:

* DAI price is 1 USD, Ubiquity price is 1.01 USD

* user mints 1 Ubiquity dollar for 1 DAI

* DAI price drops to 0.99 USD, Ubiquity price drops to 0.99 USD

* user redeems 1 Ubiquity dollar for `1/0.99 =~ 1.0101` DAI

* the contract does not own the DAI and the transaction reverts

* user redeems 0.99 Ubiquity for 1 DAI

* The remaining 0.01 Ubiquity is not backed by any collateral

One argument why this issue would not be valid is that the attacker minted 1 uAD for 1 DAI when DAI was worth 1$ so he spent 1$, and later when DAI prices drops to 0.99$ they can withdraw ~1.0101 DAI which is also worth 1$. However, this is based on the idea that the DAI price will not get back to 1$ while the majority of actors in the space believe it will.

Additionally, the lowering of collateral owned by the contract over time is a serious issue that will lead to the uAD being backed by less and less collateral and eventually insolvency of the protocol which will result in a crash of the uAD. I consider this issue more important than the profitability of the "arbitrage" by the attacker.