Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

Latest commit

 

History

History
42 lines (31 loc) · 1.63 KB

029.md

File metadata and controls

42 lines (31 loc) · 1.63 KB
Raw

Chom

medium

ComposableStableBalancerLPOracle is wrong in case a token is depegged

Summary

ComposableStableBalancerLPOracle is wrong in case a token is depegged

Vulnerability Detail

    function getPrice(address token) external view returns (uint) {
        (
            address[] memory poolTokens,
            ,
        ) = vault.getPoolTokens(IPool(token).getPoolId());

        uint length = poolTokens.length;
        uint minPrice = type(uint).max;
        for(uint i = 0; i < length; i++) {
            if (poolTokens[i] == token) continue;
            uint price = oracleFacade.getPrice(poolTokens[i]);
            minPrice = (price < minPrice) ? price : minPrice;
        }
        return minPrice.mulWadDown(IPool(token).getRate());
    }

getPrice returns the minimum price of underlying tokens in the LP. For example, if that LP consists of 10% UST, 45% USDC, and 45% USDT. If UST depegged from 1$ to 0.1$ then getPrice will return 0.1$. Since UST is just 10%, the LP price shouldn't be 0.1$.

Impact

If a token is depegged, the oracle will return LP token price as the price of the worst depegged token. But in fact, there are other tokens in the LP, so the LP price must be the weighted sum of all underlying tokens multiplied by price divided by total supply instead of a minimum one.

Code Snippet

https://github.com/sherlock-audit/2022-11-sentiment/blob/main/oracle-merged/src/balancer/ComposableStableBalancerLPOracle.sol#L42-L56

Tool used

Manual Review

Recommendation

Calculate LP price using the weighted sum of all underlying tokens multiplied by price divided by total supply instead of a minimum one.