Skip to content
This repository has been archived by the owner on Jul 14, 2024. It is now read-only.

osmanozdemir1 - LibTWAPOracle::consult() function should update prices before returning #187

Closed
sherlock-admin opened this issue Jan 10, 2024 · 2 comments
Closed

osmanozdemir1 - LibTWAPOracle::consult() function should update prices before returning #187

sherlock-admin opened this issue Jan 10, 2024 · 2 comments
Labels
Non-Reward This issue will not receive a payout

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Jan 10, 2024
edited by Czar102
Loading

osmanozdemir1

high

LibTWAPOracle::consult() function should update prices before returning

Summary

LibTWAPOracle::getTwapPrice() function is used to get DollarToken price and the returned value is used in the major functions like mintDollar() and redeemDollar() in the LibUbiquityPool.sol. However, this function returns average prices without updating.

Vulnerability Detail

Down below, you can see the getTwapPrice(), and the consult() functions.

    function getTwapPrice() internal view returns (uint256) {
        return
            LibTWAPOracle.consult(
                LibAppStorage.appStorage().dollarTokenAddress
            );
    }

//---

    function consult(address token) internal view returns (uint256 amountOut) {
        TWAPOracleStorage memory ts = twapOracleStorage();

        if (token == LibAppStorage.appStorage().dollarTokenAddress) {
            // price to exchange 1 Ubiquity Dollar to 3CRV based on TWAP
            amountOut = ts.price0Average;
        } else {
            require(token == ts.token1, "TWAPOracle: INVALID_TOKEN");
            // price to exchange 1 3CRV to Ubiquity Dollar based on TWAP
            amountOut = ts.price1Average;
        }
    }

The getTwapPrice() function directly calls the consult(), and returns these values. However, the returned average prices in the consult() function is not up to date. It must update the twapOracleStorage first, and then return the average prices.

Impact

The getTwapPrice() function is used in getDollarPriceUsd() function here, which means getDollarPriceUsd() always returns stale prices. The returned value is used in the two most crucial functions: mintDollar and redeemDollar. All of these actions are performed with stale prices.

Code Snippet

https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibTWAPOracle.sol#L111C1-L122C6

https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibTWAPOracle.sol#L159C1-L164C6

Tool used

Manual Review

Recommendation

    function consult(address token) internal view returns (uint256 amountOut) {
+       // update the price first.
+       update();  
+       // Then return the average prices in the storage.

        TWAPOracleStorage memory ts = twapOracleStorage();

        if (token == LibAppStorage.appStorage().dollarTokenAddress) {
            // price to exchange 1 Ubiquity Dollar to 3CRV based on TWAP
            amountOut = ts.price0Average;
        } else {
            require(token == ts.token1, "TWAPOracle: INVALID_TOKEN");
            // price to exchange 1 3CRV to Ubiquity Dollar based on TWAP
            amountOut = ts.price1Average;
        }
    }

Duplicate of #34
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Jan 14, 2024
@sherlock-admin2
Copy link
Contributor

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

REF #34

@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label and removed Excluded Excluded by the judge without consulting the protocol or the senior labels Jan 16, 2024
@sherlock-admin2
Copy link
Contributor

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

REF #34

@sherlock-admin sherlock-admin changed the title Kind Orchid Stork - LibTWAPOracle::consult() function should update prices before returning osmanozdemir1 - LibTWAPOracle::consult() function should update prices before returning Jan 24, 2024
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Jan 24, 2024
@osmanozdemir1 osmanozdemir1 mentioned this issue Jan 24, 2024
Open
@Czar102 Czar102 removed the Medium A valid Medium severity issue label Feb 19, 2024
@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Reward A payout will be made for this issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Feb 19, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Czar102 @sherlock-admin @sherlock-admin2