Closed sherlock-admin closed 10 months ago
1 comment(s) were left on this issue during the judging contest.
auditsea commented:
$1e-6 can be freely minted, can't even compensate gas
1 comment(s) were left on this issue during the judging contest.
auditsea commented:
$1e-6 can be freely minted, can't even compensate gas
Varun_05
high
Should not be allowed to mint dollar when collateral needed to mint dollar is equal to zero.
Summary
A user can mint dollar tokens for free and if the price of the collateral index decreases then he can even get collateral by redeeming the dollar tokens.This vulnerability is different from the one i submitted earlier because , even if the user is enforced to use the collateral indexes same in mint and redeem dollar function,he can get dollar tokens for free and use that tokens to get the collateral tokens for free.
Vulnerability Detail
Following is the mintDollar function in UbiquityPoolFacet.sol
Which calls the mintDollar in LibUbiquityPool.sol which is as follows
main issue is in the function which is used to collateral needed in order to mint dollar
getDollarInCollateralIndex function is as follows
So lets assume missing decimals = 0 so the collateral needed will be calculated as follows
Lets assume collateral price = 20 dollars i.e poolStorage.collateralPrices[collateralIndex] = 20*10**6 = 2e7 and if dollar amount = 19 then collateral needed will be equal to 19.mul(e6).div(20e6) = 0 So the user can mint dollar tokens for free. Not only this now user has 19 dollar tokens - minting fees so lets assume user got 18 dollar tokens so now lets assume that the user can only redeem dollar for the collateralIndex which while minting dollar tokens.Now if the value of the collateral decreased so now if the redeem function is called which is as follows
Now lets assume that the price of collateral has decreased to 10 dollars from 20 dollars so now if the redeem is called then the amount of collateral the users would receive is calculated as follows
Lets assume after applying redemption fee the amount of dollar = 16 So the collateral he would receive is equal to 16.mul(e6).div(10e6) = 1 collateral token So it can be seen collateral can be recived without initially paying for minting the dollar token.
Impact
This can cause free minting of dollar tokens as well as loss of collateral from the contract which other users have transferred.
Code Snippet
https://github.com/sherlock-audit/2023-12-ubiquity/blob/d9c39e8dfd5601e7e8db2e4b3390e7d8dff42a8e/ubiquity-dollar/packages/contracts/src/dollar/facets/UbiquityPoolFacet.sol#L92C1-L106C1 https://github.com/sherlock-audit/2023-12-ubiquity/blob/d9c39e8dfd5601e7e8db2e4b3390e7d8dff42a8e/ubiquity-dollar/packages/contracts/src/dollar/facets/UbiquityPoolFacet.sol#L77 https://github.com/sherlock-audit/2023-12-ubiquity/blob/d9c39e8dfd5601e7e8db2e4b3390e7d8dff42a8e/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L284
Tool used
Manual Review
Recommendation
Add the following
Duplicate of #7