You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jan 7, 2024. It is now read-only.
sherlock-admin opened this issue
Jul 3, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
The oracle has a stablePrice mapping that maps an underlying asset to some stable price. Such practices are highly discouraged because while the likelihood of either stablecoin (which is arguably the least volatile asset) de-pegging is low, it is not zero.
Vulnerability Detail
There have been many instances of stablecoin losing their peg due to market conditions. For instance, with the recent market downturn in March 2023, compound was 3 cents away from having all its USDT swapped out for USDC because they hardcoded the value of USDC to 1.
Impact
If the value of these assets deviates too much from their supposedly stable price, the entire protocol can be compromised. For instance, the spread may be validated wrongly, the liquidation info may be reported wrongly, the pnl retrieved may be calculated wrongly.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
p12473
high
Stable assets should not be hardpegged to 1
Summary
The oracle has a
stablePrice
mapping that maps an underlying asset to some stable price. Such practices are highly discouraged because while the likelihood of either stablecoin (which is arguably the least volatile asset) de-pegging is low, it is not zero.Vulnerability Detail
There have been many instances of stablecoin losing their peg due to market conditions. For instance, with the recent market downturn in March 2023, compound was 3 cents away from having all its USDT swapped out for USDC because they hardcoded the value of USDC to 1.
Impact
If the value of these assets deviates too much from their supposedly stable price, the entire protocol can be compromised. For instance, the spread may be validated wrongly, the liquidation info may be reported wrongly, the pnl retrieved may be calculated wrongly.
Code Snippet
https://github.com/hubble-exchange/hubble-protocol/blob/d89714101dd3494b132a3e3f9fed9aca4e19aef6/contracts/Oracle.sol#L24-L36
Tool used
Manual Review
Recommendation
Remove the use of this mapping entirely.
Duplicate of #69
The text was updated successfully, but these errors were encountered: