ziankork
commented
1 month ago hmm not sure about this, seems like this is more of a trading strategy than a vulnerability to me. The cooldown period would negate the entire intent behind the protocol(hedge against depegging risks). invalid for now
KupiaSec
High
When the price of
PAdeclines, users can profit by executingdepositPsm + redeemRaWithDsSummary
When the price of
PAdrops significantly, users can profit by following these steps:RAforCT + DS.DS + PAforRA(using the generatedDSfrom step 1).CT(generated in step 1) forRAin the Uniswap V2 pool.Vulnerability Detail
Let's consider the following scenario:
ds.exchangeRate() = 1.17, so1 CT + 1 DS = 1.17 RA.psmBaseRedemptionFeePercentage = 3%(is used to deduct fees when exchangingDS + PAforRA).1 CT = 1.07 RAin the Uniswap V2 pool.PAhas significantly dropped, so1 PA = 1 RA.Under these assumptions:
117 RAfor100 * (CT + DS)by calling thePsm.depositPsm()function.100 * (DS + PA)for117 RAby calling thePsm.redeemRaWithDs()function. However, due to the fee mechanism, Alice receives(117 * 0.97 = 113.49) RA.100 CTfor107 RAin the Uniswap V2 pool.As a result, Alice makes a profit of
-117 RA - 100 PA + 113.49 RA + 107 RA = 3.49 RA.This issue arises because users can immediately use the generated
DSfrom step 1 to exchangeDS + PAforRA. It would be more effective to implement a cooldown period from the generation timestamp before allowing the use ofDS.Impact
Users can gain unfair profits.
Code Snippet
https://github.com/sherlock-audit/2024-08-cork-protocol/tree/main/Depeg-swap/contracts/core/Psm.sol#L90-L101
https://github.com/sherlock-audit/2024-08-cork-protocol/tree/main/Depeg-swap/contracts/core/Psm.sol#L123-L140
Tool used
Manual Review
Recommendation
It would be more effective to implement a cooldown period from the generation timestamp before allowing the use of
DS.