You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jan 7, 2024. It is now read-only.
sherlock-admin opened this issue
Jul 3, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
When calculating price either via oracle.sol#getUnderlyingPrice() or oracle.sol#getUnderlyingTwapPrice() a check is made whether underlying token for which we are gathering price is a stablecoin or not , if yes a stable value is returned, which is wrong
Vulnerability Detail
Check made on oracle.sol:
//E if token is a stablecoin we return it's price if (stablePrice[underlying] !=0) {
return stablePrice[underlying];
}
but in DEFI we can't assume a price is stable , regarding UST debacle and USDT or USDC depeg there is always a risk that price won't be the same as it has been fixed in Oracle.sol#setStablePrice(underlying,price) :
//E set stablePrice for a stableCoinfunction setStablePrice(addressunderlying, int256price) external onlyGovernance {
requireNonEmptyAddress(underlying);
require(price >0, "stablePrice=0");
stablePrice[underlying] = price;
}
So using this kind of function is really a bad way of gathering stablecoin price and could lead to liquidation , loss of funds ,bots opportunity when a depeg happen for users using stablecoin prices in all the hubble protocol
Impact
Liquidation,manipulation,loss of funds for users that are using hubble protocol trusting stablecoin price to be always stable
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
lil.eth
high
Oracle.sol Assume that stablecoin Price is stable
Summary
When calculating price either via
oracle.sol#getUnderlyingPrice()
ororacle.sol#getUnderlyingTwapPrice()
a check is made whether underlying token for which we are gathering price is a stablecoin or not , if yes a stable value is returned, which is wrongVulnerability Detail
Check made on
oracle.sol
:but in DEFI we can't assume a price is stable , regarding UST debacle and USDT or USDC depeg there is always a risk that price won't be the same as it has been fixed in
Oracle.sol#setStablePrice(underlying,price)
:So using this kind of function is really a bad way of gathering stablecoin price and could lead to liquidation , loss of funds ,bots opportunity when a depeg happen for users using stablecoin prices in all the hubble protocol
Impact
Liquidation,manipulation,loss of funds for users that are using hubble protocol trusting stablecoin price to be always stable
Code Snippet
https://github.com/sherlock-audit/2023-04-hubble-exchange/blob/main/hubble-protocol/contracts/Oracle.sol#L44-L46
Tool used
Manual Review
Recommendation
Consider using a price feed by trusted and established oracle providers like Chainlink, Band Protocol or Flux to gather stablecoins prices
Duplicate of #69
The text was updated successfully, but these errors were encountered: