090.md

juancito

medium

calculateMint returns the amount of tokens to be minted for the first registered collateral instead of reverting

Summary

USSD::getCollateralIndex returns the first collateral instead of reverting when consulted about an unregistered token.

USSD::calculateMint uses USSD::getCollateralIndex, so it will return the amount of tokens to be minted for the first collateral.

Vulnerability Detail

USSD::getCollateralIndex will return index == 0 if it doesn't find the token, as it is its default value:

    function getCollateralIndex(
        address _token
    ) public view returns (uint256 index) {
        for (index = 0; index < collateral.length; index++) {
            if (collateral[index].token == _token) {
                return index;
            }
        }
    }

Link to code

USSD::calculateMint uses USSD::getCollateralIndex, so it will return the amount of tokens to be minted for the first collateral:

    function calculateMint(address _token, uint256 _amount) public view returns (uint256 stableCoinAmount) {
        uint256 assetPrice = collateral[getCollateralIndex(_token)].oracle.getPriceUSD();
        return (((assetPrice * _amount) / 1e18) * (10 ** decimals())) / (10 ** IERC20MetadataUpgradeable(_token).decimals());
    }

Link to code

Impact

The amount of tokens to be minted will be calculated incorrectly.

Code Snippet

• https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/USSD.sol#L125-L133
• https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/USSD.sol#L170-L173

Tool used

Manual Review

Recommendation

Revert getCollateralIndex when the collateral token was not found:

    function getCollateralIndex(
        address _token
    ) public view returns (uint256 index) {
        for (index = 0; index < collateral.length; index++) {
            if (collateral[index].token == _token) {
                return index;
            }
        }
+       revert("collateral not found");
    }