search

sherlock-audit / 2023-12-ubiquity-judging

2 stars 2 forks source link

osmanozdemir1 - The current Curve metapool factory and the metapool implementation contract does not have necessary TWAP functions #87

Closed sherlock-admin closed 8 months ago

sherlock-admin commented 8 months ago

osmanozdemir1

high

The current Curve metapool factory and the metapool implementation contract does not have necessary TWAP functions

Summary

This protocol will deploy a metapool (Dollar-3CRVLP) using the Curve's metapool factory contract to be able to use this metapool as a price oracle. However, the currently active Curve metapool factory contract and the metapool implementation contracts are different from this protocol's previous deployments, and do not have necessary TWAP functionality.

Vulnerability Detail

This protocol gets collateral prices using the Chainlink oracle, and plans to determine the UbiquityDollarToken prices using the Curve metapool. The reason for that is the Chainlink oracle does not have a price feed for UbiquityDollarToken.

The protocol already has a deployed Dollar-3CRVLP metapool, which is deployed at this address in June 2021. According to the audit list provided by the sponsor, this metapool will be redeployed with an upgradeability feature.

There is the old Curve's Dollar-3CRVLP metapool but we will redeploy it because we plan to use the upgradeable Dollar token version (while the old metapool uses the old Dollar token).

As we can see here, the currently active Curve metapool factory address is: 0xB9fC157394Af804a3578134A6585C0dc9cc990d4.

The metapool implementation created with this factory contract is 0x213be373FDff327658139C7df330817DAD2d5bBE.

The latest metapool that is created with the current Curve metapool factory is created 36 days ago with this transaction hash. You can see the implementation contract in the code section of that metapool on etherscan.

The issue is that the Curve factory and implementation contracts are updated by the Curve protocol, after Ubiquity's previous deployments in 2021. The new Curve implementation does not have TWAP functionality. It does not have the get_price_cumulative_last(), and the get_twap_balances() functions.

If the protocol deploys new Dollar-3CRVLP metapool using the Curve's current factory, it will not work as expected.

Impact

The protocol will not work as expected.

Code Snippet

https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibTWAPOracle.sol#L135

https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibTWAPOracle.sol#L77

Tool used

Manual Review, Etherscan

Recommendation

I am not sure what was the reason behind the Curve protocol changing both factory and implementation contracts. Ubiquity protocol may try to use the old factory with old implementation, but this might bring additional security issues depending on why they stop using them.

I would like to point out that the last metapool deployment using the old factory contract was performed more than 377 days ago (at the time of this submission), and it is never used since.

Duplicate of #201

sherlock-admin2 commented 8 months ago

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

Protocol team will re-deploy the contract based on their needs, so basically out of scope

sherlock-admin2 commented 8 months ago

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

Protocol team will re-deploy the contract based on their needs, so basically out of scope