Skip to content

Latest commit

 

History

History
56 lines (37 loc) · 2.39 KB

052.md

File metadata and controls

56 lines (37 loc) · 2.39 KB

coincoin

high

burnRebalancer() and mintRebalancer() miss theonlyBalancer() modifier

Summary

The two functions burnRebalancer and mintRebalancer are missing a modifier to restrict their usage.

Vulnerability Detail

The two functions burnRebalancer and mintRebalancer are public and can be executed by anyone. Those two functions call respectively _burn and _mint functions which do not make any checks. Any amount of USSD can be minted or burned for the USSD contract.

Impact

The USSD contract USSD balance is used in the rebalancer code for accounting, manipulating the USSD contract balance will result in improper accounting while rebalancing. We can think of this scenario:

  1. Attacker make sure that the USSD<>DAI pool is imbalanced (more DAI than USSD)
  2. Attacker mint a lot of USSD for the USSD contract
  3. Attacker call rebalance which should trigger USSD sell, the USSD<>DAI pool is therefore inundated with USSD as UniV3SwapInput set amountOutMinimum: 0.
  4. USSD value become worthless on the market (DAI<>USSD pool)
  5. Another rebalance() can be triggered to sell all collaterals

Code Snippet

mintRebalancer https://github.com/sherlock-audit/2023-05-USSD/blob/6d7a9fdfb1f1ed838632c25b6e1b01748d0bafda/ussd-contracts/contracts/USSD.sol#L204

burnRebalancer https://github.com/sherlock-audit/2023-05-USSD/blob/6d7a9fdfb1f1ed838632c25b6e1b01748d0bafda/ussd-contracts/contracts/USSD.sol#L208

Occurrence where the USSD amount of the USSD contract is used:

Tool used

Manual Review

Recommendation

onlyBalancer modifier should be used:

- function mintRebalancer(uint256 amount) public override {
+ function mintRebalancer(uint256 amount) public override onlyBalancer {
    _mint(address(this), amount);
}

- function burnRebalancer(uint256 amount) public override {
+ function burnRebalancer(uint256 amount) public override onlyBalancer {
   _burn(address(this), amount);
}