'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
OpenEden Disclosed Report
Audit report OpenEden Smart Contract Audit ContestLack of USDC Peg and Price Freshness Validation in OpenEdenVaultV4 Allows Share Inflation and Economic Exploitation During Depeg Events
Target
https://github.com/OpenEdenHQ/openeden.vault.audit/tree/d18288e944df21729b18d430b2afec2da99b6287
Vulnerability Details
Summary
The OpenEdenVaultV4 contract has completely removed on-chain checks for USDC/USD price peg and price feed freshness that were present in the previous version (V3). In V3, deposit, redemption, and withdrawal queue processing were all gated by a modifier (onlyValidPrice) that required USDC to remain within a configurable depeg threshold and the price feed to be fresh.
In V4, any user can deposit or redeem USDC at a hardcoded $1 rate, even if USDC has lost its peg (e.g., trading at $0.80 on secondary markets), as the contract no longer references any USDC/USD oracle. This exposes the protocol and all vault participants to share inflation and economic loss: attackers can arbitrage by depositing depegged USDC and redeeming for full-value assets, diluting the value of all shares in the vault.
Vulnerability Details
// @audit-issue Lack of USDC peg/freshness guard in deposit/redeem logic
// V3 Example (removed in V4):
modifier onlyValidPrice() {
(, int256 answer1, , uint256 updateAt, ) = usdcUsdPriceFeed.latestRoundData();
require(block.timestamp - updateAt <= maxTimeDelay, "stale usdc answer!");
require(answer1 > 0, "should gt 0");
uint256 answer = uint256(answer1);
uint256 depeg = ...;
require(depeg <= max, "usdc and usd depeg!");
_;
}
function deposit(...) external onlyValidPrice { ... }
function redeem(...) external onlyValidPrice { ... }
function processWithdrawalQueue(...) external onlyValidPrice { ... }
// V4: All references to onlyValidPrice and usdcUsdPriceFeed removed.
// No on-chain USDC price/freshness checks exist.
Issue Identified
-
V3 required all major user actions to pass USDC/USD price and staleness checks.
-
V4 has no such checks: deposits and redemptions always assume USDC = $1, regardless of actual market price or oracle feed state.
-
Attackers can deposit large amounts of depegged USDC (e.g., trading at $0.80), receive shares valued at $1/USDC, and later redeem for full-value assets once the peg is restored or through alternate redemption mechanisms.
Risk
Likelihood - Medium:
- USDC depegs have happened historically, and future market shocks remain plausible.
- There is no need for an attacker to manipulate oracles or perform complex technical attacks—simply acquiring depegged USDC is sufficient.
Impact - High:
- Share inflation: Attackers extract value from honest vault participants, reducing the share price for everyone else.
- Large-scale economic loss is possible if depegged USDC is deposited in bulk before manual intervention or pausing by off-chain governance.
- Permanent protocol loss: Existing users cannot be compensated after dilution occurs.
Tools Used
- Manual Review
Recommendations
Reintroduce On-Chain USDC Peg and Freshness Checks
Add a modifier (similar to V3's onlyValidPrice) on all deposit, redeem, and withdrawal queue processing entry points, enforcing that:
Example fix:
modifier onlyValidPrice() {
(, int256 answer1, , uint256 updateAt, ) = usdcUsdPriceFeed.latestRoundData();
require(block.timestamp - updateAt <= maxTimeDelay, "stale usdc answer!");
require(answer1 > 0, "bad price");
uint256 answer = uint256(answer1);
uint256 numerator = ONE > answer ? ONE - answer : answer - ONE;
uint256 denominator = (ONE + answer) / 2;
uint256 depeg = (numerator * ONE) / denominator;
uint256 max = (maxDepeg * ONE) / BPSUNIT;
require(depeg <= max, "usdc and usd depeg!");
_;
}
function deposit(...) external onlyValidPrice { ... }
function redeem(...) external onlyValidPrice { ... }
function processWithdrawalQueue(...) external onlyValidPrice { ... }
This ensures the protocol cannot be economically attacked using depegged USDC or stale price data.
Validation steps
1 . Deploy the OpenEdenVaultV4 contract Deploy OpenEdenVaultV4 with USDC (or mock USDC, 6 decimals) as the underlying token. Make sure the price feed address for USDC/USD is unset or not referenced anywhere in the contract logic.
2 . Simulate a USDC depeg event For testing, simply assume or configure your mock USDC token to have a market price of $0.80 (while the contract will always treat 1 USDC as $1).
3 . Acquire discounted USDC From a different account, acquire 1,000,000 USDC at $0.80 per token (simulate this by minting or transferring tokens).
4 . Approve and deposit depegged USDC
Approve the OpenEdenVaultV4 contract to spend your USDC, then call deposit(1_000_000e6, attacker).
5 . Verify shares received Check the attacker’s share balance. It should reflect a value near $1,000,000 (minus any fee), even though attacker only spent $800,000.
6 . Redeem shares when USDC returns to $1
Simulate a return to
$1 parity or redemption via redeemIns/redeem. Attacker receives close to $1,000,000 USDC.
7 . Validate economic impact
- The attacker profits ~$200,000, extracted from vault assets.
- Other vault participants’ share value is diluted.
Attachments
hidden 
Comments on this report are hidden 
Details 
Participants (4) 
