search

sherlock-audit / 2024-06-union-finance-update-2-judging

5 stars 3 forks source link

John_Femi - UToken failed to consider temporary depegging of USDC, USDT, DAI #134

Closed sherlock-admin4 closed 2 months ago

sherlock-admin4 commented 2 months ago

John_Femi

Medium

UToken failed to consider temporary depegging of USDC, USDT, DAI

Summary

The UToken Borrow contracts assume that the ratio of USD: USDC is 1:1, hence no oracle was used.

Vulnerability Detail

A user can take advantage of a temporary depeg of say 1 : 0.97, to borrow large enough tokens and pay back the borrowed tokens when depeg is rebalanced say 1: 0.99, 0.02 * 10000, is 200 USD value lost due to bad debt

Impact

Loss of funds, bad debt

Code Snippet

https://github.com/sherlock-audit/2024-06-union-finance-update-2/blob/main/union-v2-contracts/contracts/market/UToken.sol#L611

Tool used

Manual Review

Recommendation

sherlock-admin2 commented 2 months ago

1 comment(s) were left on this issue during the judging contest.

0xmystery commented:

Lacks proof where USD:USDC is affecting the codebase