Omniscia Parabola Finance Audit

Dashboard Manual Review Findings

Dashboard Manual Review Findings

DAS-01M: Dangerous Simplification of LP Evaluation

TypeSeverityLocation
Logical FaultMediumDashboard.sol:L103, L109

Description:

The Dashboard helper contract imprecisely evaluates the price of an LP token by assessing only one of the two tokens within its exchange pair and multiplying it by two.

Example:

contracts/Dashboard.sol
102if (IUniswapV2Pair(asset).token0() == address(weth) || IUniswapV2Pair(asset).token1() == address(weth)) {
103    valueInETH = amount.mul(weth.balanceOf(address(asset))).mul(2).div(IUniswapV2Pair(asset).totalSupply());
104    valueInUSD = valueInETH.mul(ethPriceInUSD()).div(1e18);
105} else {
106    uint balanceToken0 = IERC20(IUniswapV2Pair(asset).token0()).balanceOf(asset);
107    (uint token0PriceInETH,) = valueOfAsset(IUniswapV2Pair(asset).token0(), 1e18);
108

109    valueInETH = amount.mul(balanceToken0).mul(2).mul(token0PriceInETH).div(1e18).div(IUniswapV2Pair(asset).totalSupply());
110    valueInUSD = valueInETH.mul(ethPriceInUSD()).div(1e18);
111}

Recommendation:

We advise this trait of the system to be revised as it can lead to largely misleading metrics given that a pair is always at a natural imbalance.

Alleviation:

The Parabola team opted not to apply a remediation for this finding in the current iteration of the codebase.

DAS-02M: Inexplicable Constant Return

TypeSeverityLocation
Logical FaultMinorDashboard.sol:L143

Description:

The apyOfPool function will yield the 10000 * (10 ** 18) constant should the token of the pid not be staked yet on the pool.

Example:

contracts/Dashboard.sol
134function apyOfPool(uint256 pid) public view returns (uint apyPool) {
135    (address token,,,) = master.poolInfo(pid);
136    (uint valueInETH,) = valueOfAsset(token, IERC20(token).balanceOf(address(master)));
137

138    (uint rewardPriceInETH,) = valueOfAsset(address(reward), 1e18);
139    uint _rewardPerYearOfPool = rewardPerYearOfPool(pid);
140    if (_rewardPerYearOfPool == 0) {
141        return 0;
142    } else if (valueInETH == 0) {
143        return 10000 * (10 ** 18);
144    } else {
145        return rewardPriceInETH.mul(_rewardPerYearOfPool).div(valueInETH);
146    }
147}

Recommendation:

We advise this number to be documented as it currently appears incorrect.

Alleviation:

The Parabola team opted not to apply a remediation for this finding in the current iteration of the codebase.

Prev

MultiStakingRewards.sol (MSR-S)

Next

LPToken.sol (LPT-M)

On this page