Skip to content
This repository has been archived by the owner on Jul 14, 2024. It is now read-only.

Arz - The TWAP oracle uses 3CRV which is not exactly pegged to $1.00 #165

Closed
sherlock-admin opened this issue Jan 10, 2024 · 2 comments
Closed

Arz - The TWAP oracle uses 3CRV which is not exactly pegged to $1.00 #165

sherlock-admin opened this issue Jan 10, 2024 · 2 comments
Labels
Non-Reward This issue will not receive a payout

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Jan 10, 2024
edited
Loading

Arz

medium

The TWAP oracle uses 3CRV which is not exactly pegged to $1.00

Summary

The TWAP oracles uses the Ubiquity Dollar/3CRV metapool to track the price of the Ubiquity Dollar. The problem here is that the 3CRV is currently pegged to ~$1.03 which will cause the Ubiquity Dollar to also be ~$1.03.

Vulnerability Detail

Because there isnt a Chainlink feed for uAD, a Curve TWAP oracle must be used which relies on the uAD/3CRV metapool. The price of 3CRV is currently ~$1.03 so the price of the uAD will also be ~$1.03 when the pool is balanced.

Because the price of the uAD is supposed to be exactly $1.00 the metapool will be slightly unbalanced which will make the TWAP return inaccurate prices and will cause problems in the Ubiquity Pool where the price to mint or redeem must not be lower or bigger than the thresholds.

Impact

The price returned by the oracle will not be accurate and will cause problems for example users will be unable to mint or redeem in the Ubiquity Pool

Code Snippet

https://github.com/sherlock-audit/2023-12-ubiquity/blob/d9c39e8dfd5601e7e8db2e4b3390e7d8dff42a8e/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibTWAPOracle.sol#L111

require(
         getDollarPriceUsd() >= poolStorage.mintPriceThreshold,
         "Dollar price too low"
);

As you can see in LibUbiquityPool.sol there are thresholds which check if the price is equal to $1.00, if the oracle does not return exactly $1.00 users can fail to mint or redeem

Tool used

Manual Review

Recommendation

The easiest solution here would be to use a pool with a different stablecoin that is actually $1.00

Duplicate of #59
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Jan 14, 2024
@sherlock-admin2
Copy link
Contributor

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

Based on the situation and pool token price, the threasholds can be adjusted

@github-actions github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label and removed Excluded Excluded by the judge without consulting the protocol or the senior labels Jan 16, 2024
@sherlock-admin2
Copy link
Contributor

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

Based on the situation and pool token price, the threasholds can be adjusted

@rndquu rndquu mentioned this issue Jan 17, 2024
Closed
@sherlock-admin sherlock-admin changed the title Dapper Macaroon Cormorant - The TWAP oracle uses 3CRV which is not exactly pegged to $1.00 Arz - The TWAP oracle uses 3CRV which is not exactly pegged to $1.00 Jan 24, 2024
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Jan 24, 2024
@Czar102 Czar102 removed the High A valid High severity issue label Feb 19, 2024
@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Reward A payout will be made for this issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Feb 19, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Czar102 @sherlock-admin @sherlock-admin2