kiki_dev
high
BuyUSSDSellCollateral will underflow when collaterValue is greater than 1e18
When calculating amountToSellUnits this calculation is performed:
uint256 amountToSellUnits = IERC20Upgradeable(collateral[i].token).balanceOf(USSD) * ((amountToBuyLeftUSD * 1e18 / collateralval) / 1e18) / 1e18;
If at any point collateral value is greater than 1e18 the calculation will return 0 and when It shouldn't.
collateralVal is calculated here
uint256 collateralval = IERC20Upgradeable(collateral[i].token).balanceOf(USSD) * 1e18 / (10**IERC20MetadataUpgradeable(collateral[i].token).decimals()) * collateral[i].oracle.getPriceUSD() / 1e18;
With sample numbers inputted it would look something like this.
// 10 eth for balance at price of $2000
function colVal() public pure returns (uint256 ) {
return 10e18 * 1e18 / 1e18 * 2000e18 / 1e18;
}
// will return 0
function amountToSell() public pure returns (uint256 ) {
return 1e18 * ((10e18 * 1e18 / colVal()) / 1e18) / 1e18;
}Because the function wont revert here it will continue execution but with amountToSellUnit = 0 which will lead to the protocol burning USSD without properly balancing the state. leading to a further unbalanced state.
Manual Review
Tweak the way amountToSellUnits is calculated so that there isnt an underflow when collateralVal greater than 1e18.