Delightful Syrup Scorpion - Double Debond Fee Application in _calculateBasePerPTkn()
#552
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Delightful Syrup Scorpion
High
Double Debond Fee Application in
_calculateBasePerPTkn()Summary
The debond fee is applied twice when calculating
_spTknBasePrice18in thespTknMinimalOraclecontract. This causes mispricing ofspTknwhich is used as collateral in the fraxlend pairs, allowing excess borrows.Root Cause
in the
spTknMinimalOracle, whengetPrices()is called, the _calculateBasePerPTkn function makes two adjustements. One for the pod CBR, and one for the unwrap fee: https://github.com/peapodsfinance/contracts/blob/cb71391952a4e27653816046c1947bcc3ba32066/contracts/oracle/spTKNMinimalOracle.sol#L214-L220But when accounting for the CBR, it uses .convertToAssets() on the pod, which already accounts for the unwrap/debond fee:
https://github.com/peapodsfinance/contracts/blob/cb71391952a4e27653816046c1947bcc3ba32066/contracts/WeightedIndex.sol#L128
So the debond fee is incorrectly applied twice when pricing the spTkn in the oracle.
Internal Pre-conditions
Base token is a pod token
External Pre-conditions
None
Attack Path
None
Impact
spTkn token price is overvalued
Since it is used as collateral in lending pairs, borrowers in the FraxLend pair will be able to borrow more tokens than expected making it easier to reach bad debt without liquidation
PoC
No response
Mitigation
Dont apply the debond fee twice
The text was updated successfully, but these errors were encountered: