2024-12-28
*issue*
================================================================================

USDT token can be drain via manipulating the usdt/usda price

================================================================================

*issue-contents*

0 CONTENTS

*issue-metadata*

1 METADATA

Number 466
Severity High
Author 0x37
Contest Autonomint
Platform Sherlock
*issue-summary*

2 SUMMARY

The missing check usdaPrice and usdtPrice in redeemUSDT() will cause USDT token drained.

*issue-root-cause*

3 ROOT CAUSE

In CDS.sol:redeemUSDT, users can use USDa token to redeem USDT token.

We will calculate the redeemed USDT amount according to the usdaPrice and usdtPrice. The problem is that usdaPrice and usdtPrice belong to the users’ input. Malicious users can manipulate the usdaPrice and usdtPrice to drain all USDT tokens in the treasury.

    function redeemUSDT(
        CDSInterface.Interfaces memory interfaces,
        uint256 burnedUSDaInRedeem,
        uint128 usdaAmount,
        uint64 usdaPrice,
        uint64 usdtPrice
    ) external returns (uint256) {
        // according to usdt/usda's price, calculate the usdt amount.
        uint128 usdtAmount = ((usdaPrice * usdaAmount) / usdtPrice);
        ...
}
*issue-internal-pre-conditions*

4 INTERNAL PRE-CONDITIONS

N/A

*issue-external-pre-conditions*

5 EXTERNAL PRE-CONDITIONS

N/A

*issue-attack-path*

6 ATTACK PATH

N/A

*issue-impact*

7 IMPACT

All USDT tokens will be drained via manipulating the usdaPrice and usdtPrice.

*issue-poc*

8 POC

N/A

*issue-mitigation*

9 MITIGATION

Verify the input UDSA/USDT price.

================================================================================

LINKS

*issue-links*