Skip to content

Latest commit

 

History

History
85 lines (57 loc) · 2.8 KB

066.md

File metadata and controls

85 lines (57 loc) · 2.8 KB

shaka

high

The calculations of DAI price in StableOracleDAI.sol:getPriceUSD() are incorrect

Summary

The calculations of DAI price in StableOracleDAI.sol:getPriceUSD() are incorrect.

Vulnerability Detail

StableOracleDAI.sol:getPriceUSD() calculates DAI price as follows:

DAIWethPrice is the WETH/DAI rate.

wethPriceUSD is the WETH/USD rate.

price is the DAI/ETH rate.

The price of DAI is calculated with the following operation

(wethPriceUSD * 1e18) / ((DAIWethPrice + uint256(price) * 1e10) / 2);

Which does not result in the USD/DAI price.

Impact

USSD.sol:mintForToken() will mint an incorrect amount of USSD tokens.

The rebalance functionality will not work as expected, as the amounts to be swapped in USSDRebalancer.sol:SellUSSDBuyCollateral() and USSDRebalancer.sol:BuyUSSDSellCollateral() will be incorrect.

Code Snippet

https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleDAI.sol#L33-L53

Proof of concept

Foundry test

pragma solidity ^0.8.0;

import "forge-std/Test.sol";

contract USSDTest is Test {
    function testGetDAIPriceUSD() public {
        // address[] memory pools = new address[](1);
        // pools[0] = 0x60594a405d53811d3BC4766596EFD80fd545A270;
        // uint256 DAIWethPrice = DAIEthOracle.quoteSpecificPoolsWithTimePeriod(
        //     1000000000000000000, // 1 Eth
        //     0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2, // WETH (base token)
        //     0x6B175474E89094C44Da98b954EedeAC495271d0F, // DAI (quote token)
        //     pools, // DAI/WETH pool uni v3
        //     600 // period
        // );
        uint256 DAIWethPrice = 1815_878751276116508416; // Value returned by a call with the above data to the static orcacle 0xb210ce856631eeeb767efa666ec7c1c57738d438 in Ethereum mainnet

        uint256 wethPriceUSD = getWethPriceUSD();
    
        int256 price = 551720649183640; // Value returned by a call with the above data to the chainlink oracle 0x773616E4d11A78F511299002da57A0a94577F1f4 in Ethereum mainnet

        uint DAIPriceUSD = (wethPriceUSD * 1e18) / ((DAIWethPrice + uint256(price) * 1e10) / 2);
        console.log("DAIPriceUSD: %s", DAIPriceUSD);
    }

    function getWethPriceUSD() private returns (uint256) {
        // From StableOracleWETH.sol:getPriceUSD() code
        int256 price = 1814_99350000; // Value returned by a call with the above data to the chainlink oracle 0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419 in Ethereum mainnet
        return uint256(price) * 1e10;
    }
}

Console output

DAIPriceUSD: 657722827750283

Tool used

Foundry

Recommendation

Use directly the DAI/USD Chainlink aggregator contract to calculate the DAI price.