juancito
high
Missing access control on burnRebalancer
allows unrestricted burning of USSD tokens by anyone affecting pool balance on rebalance
USSD::burnRebalancer
is missing a modifier to only allow the rebalancer to call it. So anyone can burn any amount of USSD token from the USSD contract.
This allows anyone to alter the price of USSD/DAI by rebalancing the USSD/DAI pool via the USSDRebalancer::rebalance
function.
burnRebalancer()
can be called by anyone. _burn_()
is the internal ERC20Upgradeable
function from OpenZeppelin to burn the USSD token in this case:
function burnRebalancer(uint256 amount) public override {
_burn(address(this), amount);
}
The balance of USSD in the USSD contract is used for the amount
and the collateralFactor
in the SellUSSDBuyCollateral()
function. The totalSupply
of the token (which will be altered as well) is also used.
164: uint256 amount = IUSSD(USSD).balanceOf(USSD);
178: uint256 cf = IUSSD(USSD).collateralFactor(); // @audit-info this also uses the balance and total supply
188: uint ownval = (getOwnValuation() * 1e18 / 1e6) * IUSSD(USSD).totalSupply() / 1e6;
This is then used to swap USSD tokens for DAI via the USSD/DAI pool:
169: IUSSD(USSD).UniV3SwapInput(bytes.concat(abi.encodePacked(uniPool.token0(), hex"0001f4", uniPool.token1())), amount);
173: IUSSD(USSD).UniV3SwapInput(bytes.concat(abi.encodePacked(uniPool.token1(), hex"0001f4", uniPool.token0())), amount);
201: IUSSD(USSD).UniV3SwapInput(collateral[i].pathbuy, daibought/portions); // <-- @audit
Anyone can unrestrictly burn USSD token, altering the contract balance and total supply.
After that anyone can alter the price of USSD by rebalancing the USSD/DAI pool via the USSDRebalancer::rebalance
function.
- https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/USSD.sol#L208-L210
- https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/USSDRebalancer.sol#L164
- https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/USSDRebalancer.sol#L169
Manual Review
Add the onlyBalancer
modifier to the function:
- function burnRebalancer(uint256 amount) public override {
+ function burnRebalancer(uint256 amount) public override onlyBalancer {
_burn(address(this), amount);
}