Skip to content
This repository has been archived by the owner on Oct 1, 2023. It is now read-only.

libratus - Depeg cannot be triggered if asset restores its peg after a short depeg #369

Closed
sherlock-admin opened this issue Mar 27, 2023 · 0 comments
Closed

libratus - Depeg cannot be triggered if asset restores its peg after a short depeg #369

sherlock-admin opened this issue Mar 27, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Mar 27, 2023
edited by dmitriia
Loading

libratus

medium

Depeg cannot be triggered if asset restores its peg after a short depeg

Summary

Vault token can fall below strike price and then rise back up. Theoretically, it can happen for only a few blocks and the triggerDepeg function may not be called on the controller. Then, it will be impossible to trigger depeg after the price is restored.

Vulnerability Detail

triggerDepeg function can only succeed if the current asset price is below the strike price

       int256 price = getLatestPrice(premiumVault.token());

       if (int256(premiumVault.strike()) <= price)
           revert PriceNotAtStrikePrice(price);

Latest round value is used from chainlink to get the current price

        (uint80 roundID, int256 price, , , uint80 answeredInRound) = priceFeed
            .latestRoundData();

To perform a strike, the contract relies on calling triggerDepeg function during the de-peg event. However, if the event is short-lived and the peg restores quickly, the strike may not be executed. Let's say there is a background job that monitors prices and calls triggerDepeg. The job may fail to execute the call for a number of reasons:

  • The job went down for that period of time or encountered networking issues
  • Problems with the RPC endpoint
  • Network is overloaded (not out of the question during black swan events)

By the protocol design, when de-peg happens, the epoch has to end. In practice, this may not always happen, because the protocol doesn't allow triggering depeg based on historic Chainlink values.

Impact

Hedge depositors may lose their rewards if triggerDepeg isn't called during a short de-peg event.

Code Snippet

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Controllers/ControllerPeggedAssetV2.sol#LL64-L65C49

Tool used

Manual Review

Recommendation

Allow users to provide roundId to triggerDepeg function. Instead of making a Chainlink call to latestRoundData() use getRoundData(roundId) and validate that the round is within bounds of the epoch. Refer to Chainlink documentation:
https://docs.chain.link/data-feeds/historical-data/#historical-rounds

Duplicate of #422
@github-actions github-actions bot closed this as completed Apr 3, 2023
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Apr 3, 2023
@dmitriia dmitriia added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label and removed Excluded Excluded by the judge without consulting the protocol or the senior labels Apr 10, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Apr 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dmitriia @sherlock-admin