Closed sherlock-admin closed 8 months ago
1 comment(s) were left on this issue during the judging contest.
auditsea commented:
Protocol team will re-deploy the contract based on their needs, so basically out of scope
1 comment(s) were left on this issue during the judging contest.
auditsea commented:
Protocol team will re-deploy the contract based on their needs, so basically out of scope
osmanozdemir1
high
The current Curve metapool factory and the metapool implementation contract does not have necessary TWAP functions
Summary
This protocol will deploy a metapool (Dollar-3CRVLP) using the Curve's metapool factory contract to be able to use this metapool as a price oracle. However, the currently active Curve metapool factory contract and the metapool implementation contracts are different from this protocol's previous deployments, and do not have necessary TWAP functionality.
Vulnerability Detail
This protocol gets collateral prices using the Chainlink oracle, and plans to determine the
UbiquityDollarToken
prices using the Curve metapool. The reason for that is the Chainlink oracle does not have a price feed forUbiquityDollarToken
.The protocol already has a deployed
Dollar-3CRVLP
metapool, which is deployed at this address in June 2021. According to the audit list provided by the sponsor, this metapool will be redeployed with an upgradeability feature.As we can see here, the currently active Curve metapool factory address is: 0xB9fC157394Af804a3578134A6585C0dc9cc990d4.
The metapool implementation created with this factory contract is 0x213be373FDff327658139C7df330817DAD2d5bBE.
The latest metapool that is created with the current Curve metapool factory is created 36 days ago with this transaction hash. You can see the implementation contract in the code section of that metapool on etherscan.
The issue is that the Curve factory and implementation contracts are updated by the Curve protocol, after Ubiquity's previous deployments in 2021. The new Curve implementation does not have TWAP functionality. It does not have the
get_price_cumulative_last()
, and theget_twap_balances()
functions.If the protocol deploys new
Dollar-3CRVLP
metapool using the Curve's current factory, it will not work as expected.Impact
The protocol will not work as expected.
Code Snippet
https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibTWAPOracle.sol#L135
https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibTWAPOracle.sol#L77
Tool used
Manual Review, Etherscan
Recommendation
I am not sure what was the reason behind the Curve protocol changing both factory and implementation contracts. Ubiquity protocol may try to use the old factory with old implementation, but this might bring additional security issues depending on why they stop using them.
I would like to point out that the last metapool deployment using the old factory contract was performed more than 377 days ago (at the time of this submission), and it is never used since.
Duplicate of #201