Dry Aqua Sheep
High
The implementation utilizes the underlying locked collateral amount in the veNFT without factoring in the market price for executing the buy order.
The root cause is the amount that is multiplied with the buyRatio does not factor in the current collateral price.
uint collateralAmount = receiptData.lockedAmount; // total erc20 locked in veNFT, also locked in receipt
uint collateralDecimals = receiptData.decimals; // $AERO has 18 dp
uint amount = (buyInformation.buyRatio * collateralAmount) /
(10 ** collateralDecimals);
require(
amount <= buyInformation.availableAmount,
"Amount exceeds available amount"
);No response
No response
User A wants to buy cheap receipt tokens, so he creates a buyOrder of 0.8:1 ratio compared to the underlying amount of the receipt. On the other side User B, who has a receipt, wants quick liquidity for his receipt, so he interacts with the buyOrder.sol and calls sellNFT in order to get the liquidity from the buy order.
User B has collateral amount of 100e18 $AERO token, that is worth currently $1.30. This is not factored into calculation. During the conversation of $DAI to AERO, USER A buys the receipt for 80 DAI instead of 104 DAI (80 * $1.30 = 104 DAI worth).
User A keeps receipt, User B the liquidity loses extra $26 from the sale.
Seller loses liquidity due to selling receipt lesser than it is worth.
No response
Integrate oracle pricefeed to calculate the amount.