Omniscia Moby Audit
VaultPriceFeed Manual Review Findings
VaultPriceFeed Manual Review Findings
VPF-01M: Uncommented Implementation Code
| Type | Severity | Location |
|---|---|---|
| Logical Fault |  | VaultPriceFeed.sol:L167 |
Description:
The VaultPriceFeed::getSpotPrice function contains a TODO comment as well as important statement in its functionality commented out.
Impact:
All TODO related adjustments will be marked as informational given that they present "known-issues".
Example:
166//TODO ENABLE WHEN CONNECTED TO CHAINLINK167// uint256 price = getOraclePrice(_token, _maximise);168uint256 price = 0;Recommendation:
We advise it to be reintroduced, ensuring that the code behaves as expected.
Alleviation (b02fae335f62cc1f5f4236fb4d982ad16a32bd26):
The relevant assignment has been properly uncommented, addressing this exhibit.
VPF-02M: Insecure Price Assumption
| Type | Severity | Location |
|---|---|---|
| Logical Fault |  | VaultPriceFeed.sol:L175-L178 |
Description:
The VaultPriceFeed::getSpotPrice function will ignore minor fluctuations in the price of a stable coin utilized in the system due to a mechanism that evaluates the delta and yields ONE_USD if it is less than the maxStrictPriceDeviation.
Impact:
The VaultPriceFeed::getSpotPrice function will yield a price of "1" even if the underlying stablecoin has deviated from it, opening up arbitrage opportunities depending on market sentiment around the stablecoin.
Example:
175uint256 delta = price > ONE_USD ? (price - ONE_USD) : (ONE_USD - price);176if (delta <= maxStrictPriceDeviation) {177 return ONE_USD;178}Recommendation:
We advise this mechanism to be revisited, as even minor fluctuations in the underlying stablecoin open up arbitrage opportunities that can leak value from the protocol.
Alleviation (b02fae335f):
The Moby team has evaluated this exhibit and opted to acknowledge this behaviour.
We consider this exhibit acknowledged, however, we strongly advise the Moby team to closely monitor the stablecoin's peg situation and update the configuration of the contract accordingly.
Alleviation (a8720219a6):
The Moby team has clarified that it is their business intention to consider variations within $0.05 of a stable coin to be considered as $1.
As such, we consider this exhibit nullified based on the fact that it represents a desirable business trait, and continue to advise the Moby to closely monitor their deployment and ensure this simplification does not have wider economical impact on their overall system.