Skip to content
This repository has been archived by the owner on Jul 14, 2024. It is now read-only.

ge6a - Protocol insolvency and the user's inability to redeem their tokens #217

Closed
sherlock-admin opened this issue Jan 10, 2024 · 2 comments
Closed

ge6a - Protocol insolvency and the user's inability to redeem their tokens #217

sherlock-admin opened this issue Jan 10, 2024 · 2 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Jan 10, 2024
edited
Loading

ge6a

high

Protocol insolvency and the user's inability to redeem their tokens

Summary

In the event of a depeg of any of the collateral tokens, a situation may arise where the total value of the entire collateral, divided by the number of Ubiquity Dollar tokens, is less than 1. The redeem function operates under the assumption that the price of one Ubiquity Dollar token is $1. Therefore, if many users start exchanging their tokens for collateral, this may not be possible for some of them because there would be no available collateral at some point.

Vulnerability Detail

The only safeguard mechanism available to the protocol in the event of such an occurrence is the pausing of certain functionalities. However, this involves human interaction, and it is unclear whether the protocol administrators will react quickly enough to prevent the described scenario. No off-chain mechanisms monitoring such a situation are described in the README file.

Impact

Possible protocol insolvency - a state in which there are circulating Ubiquity Dollar tokens, but there is no collateral to back them up. I would like to note that a depeg of a stablecoin, whether brief or not so brief, is not something extremely unusual and occurs relatively often.

Code Snippet

https://github.com/sherlock-audit/2023-12-ubiquity/blob/d9c39e8dfd5601e7e8db2e4b3390e7d8dff42a8e/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L399-L465

Tool used

Manual Review

Recommendation

An possible solution is to add additional checks for the lower bound of the price of collateral tokens during the redeem process.

Duplicate of #17
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Jan 14, 2024
@sherlock-admin2
Copy link
Contributor

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

The issue describes about the protocol insolvancy in case of collateral depeg. It's not avoidable, that's why the protocol has borrowing function to get yield, take fees on mint and redeem, these features will hedge the risk from protocol insolvancy

@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label and removed Excluded Excluded by the judge without consulting the protocol or the senior labels Jan 16, 2024
@sherlock-admin2
Copy link
Contributor

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

The issue describes about the protocol insolvancy in case of collateral depeg. It's not avoidable, that's why the protocol has borrowing function to get yield, take fees on mint and redeem, these features will hedge the risk from protocol insolvancy

@sherlock-admin sherlock-admin changed the title Acrobatic Champagne Turkey - Protocol insolvency and the user's inability to redeem their tokens ge6a - Protocol insolvency and the user's inability to redeem their tokens Jan 24, 2024
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Jan 24, 2024
@Czar102 Czar102 removed the Medium A valid Medium severity issue label Feb 14, 2024
@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Reward A payout will be made for this issue labels Feb 14, 2024
@gstoyanovbg gstoyanovbg mentioned this issue Feb 16, 2024
Open
@Czar102 Czar102 added the Medium A valid Medium severity issue label Feb 19, 2024
@sherlock-admin sherlock-admin added Reward A payout will be made for this issue and removed Non-Reward This issue will not receive a payout labels Feb 19, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Czar102 @sherlock-admin @sherlock-admin2