Fast Cerulean Armadillo
High
The redeemUSDT function in the CDS contract allows users to manipulate prices during the redemption process due to the absence of validation checks on usdaPrice and usdtPrice parameters. This vulnerability enables malicious users to claim significantly more USDT than intended by the protocol.
The redeemUSDT function relies on user-provided prices (usdaPrice and usdtPrice) without performing any validation or verification. As a result, users can input arbitrarily high usdaPrice and low usdtPrice values to manipulate the exchange ratio in their favor and drain all usdt for very low amounts of USDA.
function redeemUSDT(
uint128 usdaAmount,
uint64 usdaPrice,
uint64 usdtPrice
) external payable nonReentrant whenNotPaused(IMultiSign.Functions(6)) {
burnedUSDaInRedeem = CDSLib.redeemUSDT(
Interfaces(
treasury,
globalVariables,
usda,
usdt,
borrowing,
CDSInterface(address(this))
),
burnedUSDaInRedeem,
usdaAmount,
usdaPrice,
usdtPrice
);
//
}
function redeemUSDT(
CDSInterface.Interfaces memory interfaces,
uint256 burnedUSDaInRedeem,
uint128 usdaAmount,
uint64 usdaPrice,
uint64 usdtPrice
) external returns (uint256) {
//
// calculate the USDT USDa ratio
uint128 usdtAmount = ((usdaPrice * usdaAmount) / usdtPrice);No response
No response
- A user initiates the redeemUSDT function with an inflated usdaPrice and a deflated usdtPrice.
- The function calculates the USDT amount using the manipulated prices:
uint128 usdtAmount = (usdaPrice * usdaAmount) / usdtPrice; - The calculated amount of USDT becomes disproportionately high.
- The protocol transfers the inflated USDT amount to the attacker.
The protocol could lose significant funds due to incorrect price calculations.
No response
Use a trusted price oracle to fetch the latest asset prices.