Skip to content

Latest commit

 

History

History
74 lines (45 loc) · 2.82 KB

086.md

File metadata and controls

74 lines (45 loc) · 2.82 KB

juancito

high

Missing access control on burnRebalancer allows unrestricted burning of USSD tokens by anyone affecting pool balance on rebalance

Summary

USSD::burnRebalancer is missing a modifier to only allow the rebalancer to call it. So anyone can burn any amount of USSD token from the USSD contract.

This allows anyone to alter the price of USSD/DAI by rebalancing the USSD/DAI pool via the USSDRebalancer::rebalance function.

Vulnerability Detail

burnRebalancer() can be called by anyone. _burn_() is the internal ERC20Upgradeable function from OpenZeppelin to burn the USSD token in this case:

    function burnRebalancer(uint256 amount) public override {
        _burn(address(this), amount);
    }

Link to code

The balance of USSD in the USSD contract is used for the amount and the collateralFactor in the SellUSSDBuyCollateral() function. The totalSupply of the token (which will be altered as well) is also used.

164:    uint256 amount = IUSSD(USSD).balanceOf(USSD);

178:    uint256 cf = IUSSD(USSD).collateralFactor(); // @audit-info this also uses the balance and total supply

188:    uint ownval = (getOwnValuation() * 1e18 / 1e6) * IUSSD(USSD).totalSupply() / 1e6;

Link to code

This is then used to swap USSD tokens for DAI via the USSD/DAI pool:

169:    IUSSD(USSD).UniV3SwapInput(bytes.concat(abi.encodePacked(uniPool.token0(), hex"0001f4", uniPool.token1())), amount);

173:    IUSSD(USSD).UniV3SwapInput(bytes.concat(abi.encodePacked(uniPool.token1(), hex"0001f4", uniPool.token0())), amount);

201:    IUSSD(USSD).UniV3SwapInput(collateral[i].pathbuy, daibought/portions); // <-- @audit

Link to code

Impact

Anyone can unrestrictly burn USSD token, altering the contract balance and total supply.

After that anyone can alter the price of USSD by rebalancing the USSD/DAI pool via the USSDRebalancer::rebalance function.

Code Snippet

Tool used

Manual Review

Recommendation

Add the onlyBalancer modifier to the function:

-    function burnRebalancer(uint256 amount) public override {
+    function burnRebalancer(uint256 amount) public override onlyBalancer {
        _burn(address(this), amount);
    }