WATCHPUG - Lack of Redeem Feature

[sherlock-admin]

WATCHPUG

medium

Lack of Redeem Feature

Summary

Vulnerability Detail

The whitepaper mentions a redeeming feature that allows the user to redeem USSD for DAI (see section 4 "Mint and redeem"), but it is currently missing from the implementation.

Although there is a "redeem" boolean in the collateral settings, there is no corresponding feature that enables the redemption of USSD to any of the underlying collateral assets.

Impact

Code Snippet

https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/interfaces/IUSSDRebalancer.sol#L13-L21

Tool used

Manual Review

Recommendation

Revise the whitepaper and docs to reflect the fact that there is no redeem function or add a redeem function.

[securitygrid]

Escalate for 10 USDC
This is valid low/info.
So far, lacking redeem is no impact.

[sherlock-admin]

Escalate for 10 USDC
This is valid low/info.
So far, lacking redeem is no impact.

You've created a valid escalation for 10 USDC!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

[0xJuancito]

Escalate for 10 USDC

This is a valid High.

---

Escalating the comment:

This is valid low/info.
So far, lacking redeem is no impact.

---

The impact is explained on the whitepaper and quoted on the "Vulnerability Detail" section from issue #218:

As per the USSD whitepaper:

If there is positive DAI balance in the collateral, USSD contract can provide
DAI for equal amount of USSD in return (that would be burned, contracting
supply).

The importance of this is said here:

Ability to mint and redeem USSD for DAI could serve as incentives to rebalance the coin when this is economically viable

And the most important feature is to have a mechanism to "help USSD recover in negative scenarios":

These methods also could be used to help USSD recover in negative scenarios:
if USSD value falls below 1 DAI and there are less than 1 DAI reserves per USSD
to refill the reserves allowing the USSD to recover it’s price by reducing supply

[sherlock-admin]

Escalate for 10 USDC

This is a valid High.

---

Escalating the comment:

This is valid low/info.
So far, lacking redeem is no impact.

---

The impact is explained on the whitepaper and quoted on the "Vulnerability Detail" section from issue #218:

As per the USSD whitepaper:

If there is positive DAI balance in the collateral, USSD contract can provide
DAI for equal amount of USSD in return (that would be burned, contracting
supply).

The importance of this is said here:

Ability to mint and redeem USSD for DAI could serve as incentives to rebalance the coin when this is economically viable

And the most important feature is to have a mechanism to "help USSD recover in negative scenarios":

These methods also could be used to help USSD recover in negative scenarios:
if USSD value falls below 1 DAI and there are less than 1 DAI reserves per USSD
to refill the reserves allowing the USSD to recover it’s price by reducing supply

You've created a valid escalation for 10 USDC!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

[0xcuriousapple]

well this is what protocol team said that time regarding redeem
that it is intentional

[ctf-sec]

well this is what protocol team said that time regarding redeem that it is intentional

valid low based on the sponsor's feedback

[hrishibhat]

Result:
Medium
Has duplicates
This issue can be considered a valid medium based on the Whitepaper description of the importance of having a the redeem function.

[sherlock-admin]

Escalations have been resolved successfully!

Escalation status:

• 0xJuancito: accepted
• securitygrid: rejected