Summary:
Update crvusd stableswap factory implementations for balances and prices.
Abstract:
Auditors found some issues with price oracles in crvusd factory implementation contracts for balances and prices implementation. These do not impact LPs at all and to our knowledge, nobody uses the faulty oracles (crvusd is safe). Vote proposes to replace the faulty implementations with safe ones.
Motivation:
During a secondary audit of stableswap-ng by yAudit, an issue with oracles was observed. The bug was found to affect all current deployments of stableswap-ng (expect new implementations there) and also some older implementations in the crvusd stableswap factory. Since the pool’s functioning does not depend on price oracles, there is no concern here for liquidity providers, i.e. this issue does not impact LPs in any way but does make the oracles for some pool types manipulateable. To our knowledge, these oracles are not used by anyone A full list of pools is presented in the following.
This proposal replaces the faulty implementations with new ones.
Specification:
Affected pools (tvl > 0) from crvusd stableswap factory:
https://etherscan.io/address/0xB9eC78Bd89d3Ef17537f130CC72750FD4DE85f82#code https://etherscan.io/address/0x707EAe1CcFee0B8fef07D3F18EAFD1246762d587#code https://etherscan.io/address/0x2dabF79E16ceb92B651651f47b6E835C9DB5828A#code https://etherscan.io/address/0x5DAC17902066D261e3701e6f52150A614cd8bdE7#code https://etherscan.io/address/0x69B6dA941E6A8960f480709281b87B1C32fF8366#code https://etherscan.io/address/0xfEF79304C80A694dFd9e603D624567D470e1a0e7#code https://etherscan.io/address/0x1539c2461d7432cc114b0903f1824079BfCA2C92#code
All pools created with implementation index 0 are fine.
Faulty implementations:
balances: “0x7Ca46A636b02D4aBC66883D7FF164bDE506DC66a”
prices: “0x36Dc03C0e12a1C241306a6A8F327Fe28bA2Be5b0”
New implementations:
balances: “0xc65CB3156225380BEda366610BaB18D5835A1647”
prices: “0xa0EC67a3C483674f77915893346A8CA3AbE2b785”
For:
Replace faulty implementations with new ones.
Against:
Do not replace faulty implementations with new ones.
Proposal:
https://dao.curve.fi/vote/ownership/514