'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Kinetic Disclosed Report
Audit report 
Target
https://github.com/kinetic-market/public-money-market-contracts
Vulnerability Details
Description
In the RedeemBurnRateCalculatorV3 contract, the value of the useOraclePrice variable determines whether the price is retrieved from the price oracle contract or from Uniswap V3. However, this value is immutable, meaning the contract can only retrieve the price from one source.
Here is the relevant code:
function shouldSkipBurnRate(
address user,
uint256 /*amount*/
) external view override returns (bool) {
if (_exclusionListedAddresses.contains(user))
return false;
if (useOraclePrice) {
uint256 price = priceOracle.getPrice(address(protocolToken));
return ((price * esProtocolToken.balanceOf(user) / (10**esProtocolTokenDecimals)) > burnRateThresholdUSD);
}
uint amountOut = getAmountOut();
uint esProtocolWNativePrice = amountOut * esProtocolToken.balanceOf(user) / (10**esProtocolTokenDecimals);
uint sNativePrice = priceOracle.getPrice(address(sETH));
esProtocolWNativePrice = esProtocolWNativePrice * sNativePrice / (10**sETHDecimals);
return esProtocolWNativePrice > burnRateThresholdUSD;
}
The current implementation restricts the contract to always retrieve prices from only one oracle. This limits flexibility and could be suboptimal depending on the situation.
Recommendation
It is recommended to add functionality to adjust the useOraclePrice variable dynamically. This would allow the contract to switch between price sources based on certain conditions, providing more flexibility and responsiveness to market conditions.
Validation steps
https://github.com/kinetic-market/public-money-market-contracts/blob/d46f5223344ff6502349549ad858588e496483df/contracts/Tokenomics/RedeemBurnRateCalculatorV3.sol#L148-L152
Comments on this report are hidden 
Details 
Participants (3) 
