rzizah - Flawed Price Calculation in invest Function Could Lead to Loss of Funds

[sherlock-admin4]

rzizah

Medium

Flawed Price Calculation in invest Function Could Lead to Loss of Funds

Summary

preFeeStableAmountEquivalent depends on exchangeRateNumerator which is set off-chain
a user trying to invest on-chain with invest will not recieve the same price as the off-chain investors, if any lags happen between setting the exchangeRAteNumerator and the execution on-chain, leading to potential miscalculations of preFeeStableAmountEquivalent.

Root Cause

The primary issue stems from the off-chain determination of exchangeRateNumerator, which can create a discrepancy between the set value and the actual market rate at the time of transaction execution.

Internal Preconditions

• A user triggers the invest function, providing an amount to invest.

External Preconditions

• The off-chain exchangeRateNumerator does not match the real-time market price during the transaction.

Attack Path

1. A user invests 100 USDC, with the exchangeRateNumerator fixed at 1.2.
2. When the transaction is executed on-chain, the real market price of USDC has dropped to 0.996 USD (or a significantly lower value, e.g., 0.8 USD).
3. The user benefits from this mismatch by buying USDC at the lower market rate and investing at the more favorable off-chain exchange rate.

Impact

The inconsistency between the on-chain execution and off-chain rate settings can create opportunities for exploitation, giving some users undue profit while causing financial damage to the protocol.

Mitigation

To mitigate this risk, integrate a trusted price oracle for real-time exchange rate updates. This ensures that the exchangeRateNumerator reflects accurate market conditions, eliminating reliance on static, off-chain values and aligning the investment calculations with up-to-date prices.