Hardcoded stable coin exchange rate #397
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-462
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/StableVault.sol#L44-L72
Vulnerability details
Impact
Currently the exchange rate for tigUSD and other stable coin is hardcoded as 1:1. According to the doc
However, mainstream stable coins prices did fluctuates, USDT/USDC/DAI all could go up and down. If the strict 1:1 exchange rate is applied, sometimes there would be arbitrage opportunity and the contract could suffer fund loss.
Proof of Concept
From the historical prices of some stable coins, it can be seen that price could deviate from 1, and different stable coins are not in phase with each other, which leaves potential room to take advantage of tigUSD vault.
USDT
in 11/21/2018, the price falls to as low as 0.9734, and in 12/20/2018 rises to as high as 1.024.
USDC
in 03/19/2020, the price falls to as low as 0.9709, and in 01/31/2020 rises to as high as 1.0436.
DAI
in 05/16/2020, the price falls to as low as 0.9846, and in 09/11/2020 rises to as high as 1.0423.
Considering the non-transparency of USDT, regulatory risks of USDC and other defi protocols, unforeseen attack causing contract being compromised, etc. Not to mention severe events for luna/UST. The prices of stable coins are not guaranteed to keep stay around 1 USD.
The exchange rate for tigUSD and other stable coins are hardcoded as 1:1 in StableVault.sol.
If some day USDT prices falls to 0.99, but DAI still 1.00. Users can deposit with USDT and withdraw with DAI. Until all the balance of the vault is taken. The fund loss due to exchange difference will be left for the contract.
Tools Used
Manual analysis.
Recommended Mitigation Steps
Use real time price feed from reliable oracles for stable coin vault, just like for trading contracts, verify the prices before
deposit()/withdraw()
.The text was updated successfully, but these errors were encountered: