Skip to content
This repository has been archived by the owner on Nov 26, 2023. It is now read-only.

tallo - USSDRebalancer.getOwnValuation and getSupplyProportion are vulnerable to manipulation due to how they calculate token balances #92

Closed
sherlock-admin opened this issue May 23, 2023 · 0 comments
Closed

tallo - USSDRebalancer.getOwnValuation and getSupplyProportion are vulnerable to manipulation due to how they calculate token balances #92

sherlock-admin opened this issue May 23, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented May 23, 2023
edited by github-actions bot
Loading

tallo

high

USSDRebalancer.getOwnValuation and getSupplyProportion are vulnerable to manipulation due to how they calculate token balances

Summary

USSDRebalancer.getOwnValuation uses the UniV3.slot0 function to calculate its current token price. This calculated value is the most recent spot price and can be easily manipulated.

Vulnerability Detail

The getOwnValuation function returns the most recent spot price.

    function getOwnValuation() public view returns (uint256 price) {
      (uint160 sqrtPriceX96,,,,,,) =  uniPool.slot0();
      if(uniPool.token0() == USSD) {
        price = uint(sqrtPriceX96)*(uint(sqrtPriceX96))/(1e6) >> (96 * 2);
      } else {
        price = uint(sqrtPriceX96)*(uint(sqrtPriceX96))*(1e18 /* 1e12 + 1e6 decimal representation */) >> (96 * 2);
        // flip the fraction
        price = (1e24 / price) / 1e12;
      }
    }

getSupplyProportion uses the current token0 and token1 balance.

    function getSupplyProportion() public view returns (uint256, uint256) {
      uint256 vol1 = IERC20Upgradeable(uniPool.token0()).balanceOf(address(uniPool));
      uint256 vol2 = IERC20Upgradeable(uniPool.token1()).balanceOf(address(uniPool));
      if (uniPool.token0() == USSD) {
        return (vol1, vol2);
      }
      return (vol2, vol1);
    }

Impact

All functionality that uses the spot price is vulnerable such as USSDRebalancer.rebalance, USSDRebalancer.SellUSSDBuyCollateral, and USSDRebalancer.BuyUSSDSellCollateral

Code Snippet

https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/USSDRebalancer.sol#L71
https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/USSDRebalancer.sol#LL83C45-L83C45

Tool used

Manual Review

Recommendation

It would be ideal to take an average of the uniswap price over certain time periods (TWAP) so its much harder to manipulate

Duplicate of #451
@github-actions github-actions bot closed this as completed Jun 5, 2023
@github-actions github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jun 5, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Jun 23, 2023
@0xJuancito 0xJuancito mentioned this issue Jun 25, 2023
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin