GatewayGuardians - Incorrect peg for uAD when protocol is deployed

[sherlock-admin]

GatewayGuardians

high

Incorrect peg for uAD when protocol is deployed

Summary

• The developers mentioned that uAD is 100% collateral backed.
  

• To ensure it, they are backing it with an equal amount of 3CRV in the curve pool during deployment.
  

Vulnerability Detail

• There is a circular dependency that happens when deploying the protocol:
  • To mint uAD from Ubiquity Pool, we need the Curve pool for TWAP.
  • To create the new uAD-3CRV Curve Pool, we need to mint uAD from UbiquityPool.
• To solve this issue, the developers intended to directly mint the initial uAD tokens and then supply them with an equal amount of 3CRV tokens to create the curve pool.
• The issue lies in the fact that uAD is worth $1 but the 3CRV token is $1.03.
• Additionally, the value of the 3CRV token increases as the fees get collected in the Curve's 3Pool.
• Therefore, from the beginning, the uAD is pegged to $1.03 instead of $1.

Impact

• uAD is pegged to $1.03 instead of $1 during deployment.
• The value of 3CRV tokens is $1.03 and rising (reference), so you are supplying 10k uAD ($1) with 10k 3CRV ($1.03).
• The value will be unbalanced: uAD ($10,000) and 3CRV ($10,300)

Code Snippet

• It is necessary that the amounts are exactly equal to set the pool as TWAP oracle. This is necessitated with the following condition:

require(_reserve0 == _reserve1, "TWAPOracle: PAIR_UNBALANCED");

Tool used

Manual Review

Recommendation

• 3CRV is an LP token, not a stablecoin. And uAD maintaining its peg to $1 is quite important for it to qualify as a "stablecoin"
• Hence, the uAD should be backed with a stablecoin, like DAI, USDC, or LUSD to ensure it is pegged to $1

Duplicate of #59

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

Threasholds can be controlled to hedge LP price deviation, LP price should represent dollar price better than individual underlying token price

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

Threasholds can be controlled to hedge LP price deviation, LP price should represent dollar price better than individual underlying token price