This repository has been archived by the owner on Jul 14, 2024. It is now read-only.
0xpiken - Incorrect value was used to represent USD price of Ubiquity Dollar #30
Labels
Non-Reward
This issue will not receive a payout
0xpiken
medium
Incorrect value was used to represent USD price of Ubiquity Dollar
Summary
UbiquityPoolFacet#getDollarPriceUsd()
is supposed to return USD value of Ubiquity Dollar according to its doc:However, it's actually returning the price in 3CRV of the Ubiquity Dollar instead.
Vulnerability Detail
Ubiquity has a mechanism to limit Ubiquity Dollar minting and redeeming:
mintPriceThreshold
redeemPriceThreshold
mintPriceThreshold
andredeemPriceThreshold
represent price thresholds measured in USD value with 6 decimal places:From above we can see, the returning value of
getDollarPriceUsd()
must represent USD price of Ubiquity Dollar token.Let's take a look at how
getDollarPriceUsd()
works:LibTWAPOracle.getTwapPrice()
(decimals is scaled from 18 to 6):getTwapPrice()
return the value ofts.price0Average
:From Line 115 we can see that
ts.price0Average
is price to exchange 1 Ubiquity Dollar to 3CRV based on TWAP, which is not relevant to USD value.ts.price0Average
is updated by callingLibTWAPOracle#update()
, It's clear thatts.price0Average
represent how many 3CRV tokens needed for exchanging / swapping 1e18 Ubiquity Dollar:Since returned amount of 3CRV token can not represent USD value of Ubiquity Dollar,
mintDollar()
andredeemDollar()
can not work as expected.Impact
mintDollar()
andredeemDollar()
may not work as expectedCode Snippet
https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L346-L349
https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L418-L421
Tool used
Manual Review
Recommendation
getDollarPriceUsd()
should return the real USD value of Ubiquity Dollar.IMetaPool #get_dy_underlying()
could be helpful in achieving this.Duplicate of #59
The text was updated successfully, but these errors were encountered: