Hardcoded stable coin exchange rate

[code423n4]

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/StableVault.sol#L44-L72

Vulnerability details

Impact

Currently the exchange rate for tigUSD and other stable coin is hardcoded as 1:1. According to the doc

They are redeemable 1:1 for any asset in its respective StableVault

However, mainstream stable coins prices did fluctuates, USDT/USDC/DAI all could go up and down. If the strict 1:1 exchange rate is applied, sometimes there would be arbitrage opportunity and the contract could suffer fund loss.

Proof of Concept

From the historical prices of some stable coins, it can be seen that price could deviate from 1, and different stable coins are not in phase with each other, which leaves potential room to take advantage of tigUSD vault.

• USDT
  in 11/21/2018, the price falls to as low as 0.9734, and in 12/20/2018 rises to as high as 1.024.

• USDC
  in 03/19/2020, the price falls to as low as 0.9709, and in 01/31/2020 rises to as high as 1.0436.

• DAI
  in 05/16/2020, the price falls to as low as 0.9846, and in 09/11/2020 rises to as high as 1.0423.

Considering the non-transparency of USDT, regulatory risks of USDC and other defi protocols, unforeseen attack causing contract being compromised, etc. Not to mention severe events for luna/UST. The prices of stable coins are not guaranteed to keep stay around 1 USD.

The exchange rate for tigUSD and other stable coins are hardcoded as 1:1 in StableVault.sol.

File: contracts/StableVault.sol
44:     function deposit(address _token, uint256 _amount) public {
45:         require(allowed[_token], "Token not listed");
46:         IERC20(_token).transferFrom(_msgSender(), address(this), _amount);
47:         IERC20Mintable(stable).mintFor(
48:             _msgSender(),
49:             _amount*(10**(18-IERC20Mintable(_token).decimals()))
50:         );
51:     }

53:     function depositWithPermit(address _token, uint256 _amount, uint256 _deadline, bool _permitMax, uint8 v, bytes32 r, bytes32 s) external {
54:         uint _toAllow = _amount;
55:         if (_permitMax) _toAllow = type(uint).max;
56:         ERC20Permit(_token).permit(_msgSender(), address(this), _toAllow, _deadline, v, r, s);
57:         deposit(_token, _amount);
58:     }


65:     function withdraw(address _token, uint256 _amount) external returns (uint256 _output) {
66:         IERC20Mintable(stable).burnFrom(_msgSender(), _amount);
67:         _output = _amount/10**(18-IERC20Mintable(_token).decimals());
68:         IERC20(_token).transfer(
69:             _msgSender(),
70:             _output
71:         );
72:     }

If some day USDT prices falls to 0.99, but DAI still 1.00. Users can deposit with USDT and withdraw with DAI. Until all the balance of the vault is taken. The fund loss due to exchange difference will be left for the contract.

Tools Used

Manual analysis.

Recommended Mitigation Steps

Use real time price feed from reliable oracles for stable coin vault, just like for trading contracts, verify the prices before deposit()/withdraw().

[c4-judge]

GalloDaSballo marked the issue as duplicate of #462

[c4-judge]

GalloDaSballo marked the issue as satisfactory