This repository has been archived by the owner on Jul 14, 2024. It is now read-only.
ilchovski - Incorrect pricing of the Dollar token #148
Labels
Non-Reward
This issue will not receive a payout
Comments
github-actions
bot
added
the
Excluded
|
1 comment(s) were left on this issue during the judging contest. auditsea commented:
|
github-actions
bot
added
High
|
1 comment(s) were left on this issue during the judging contest. auditsea commented:
|
sherlock-admin2
changed the title
sherlock-admin
added
Non-Reward
sherlock-admin2
removed
the
Duplicate
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
ilchovski
high
Incorrect pricing of the Dollar token
Summary
Dollar token is priced in 3CRV liquidity pool tokens instead of USD.
Vulnerability Detail
The protocol decides when to allow/forbid users to mint/burn Dollar tokens based on how much 3CRV liquidity pool tokens 1 Dollar token can get by intending control the price of the Dollar token to be 1 USD. Unfortunately historically the 3CRV liquidity pool token fluctuates in price in comparison to USD and is not an accurate metric.
Impact
Protocol allow/forbid users to mint/burn Dollar tokens based on incorrect metric of USD.
Code Snippet
https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L347C22-L347C22
https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L300
Tool used
Manual Review
Recommendation
This really depends on the protocol's strategy to decide how this issue should be resolved.
For example, the team could decide to create their own price feed, maintain it and average out the exchange rate of the token from different number of pools/pairs of tokens that are pegged to the USD like DAI etc in order to have more stability and less risk of price manipulation.
Duplicate of #59
The text was updated successfully, but these errors were encountered: