Lines of code

Vulnerability details

Impact

Protocol currently knows about how this could be an effect, since the comments to both previewDeposit() and convertToShares() suggest that any difference attached to this should be considered slippage, but measures are not taken to ensure that this slippage is not massive, say an abrupt crash like that of UST were to happen, this would immensely affect the protocol and even be way worse since prices are only updated per epoch and users can unknowingly/knowingly position themselves in a way to benefit the most from this

Proof of Concept

See Impact

Do note that the developers are somewhat aware of how this implementation is risky, since the docs clearly state how sharp price declines can come up for markets of securitized products

Additionally note that the prices are updated once an epoch (duration of epoch has currently not being decided upon), as has been stated here: <https://docs.centrifuge.io/getting-started/securitization/#epoch-mechanism&gt;

Lastly, whatever duration is even later on set, this could still be an issue, it just depends on how volatile the underlying assets are.

Tool used

Manual Review

Recommended Mitigation Steps

A deviation threshold could be set and rewards attached to anyone that can raise an alert whenever an asset falls over the accepted deviation mark, if price movement does not pass this deviaition mark, then prices can then be updated after an epoch, this is similar to widely accepted chainlink price updating mechanism, where heartbeats exist and deviation thresholds, do note that the heartbeats and deviation threshold if going to be applied shouldn’t be the same for all tranche tokens but it should be dependent on what type of assets are in the RWA pool, if very active/volatile then smaller durations should be set, if not, the otherwise should be practised

Assessed type

Context

The text was updated successfully, but these errors were encountered:

All reactions