search

Cyfrin / 2023-07-foundry-defi-stablecoin

38 stars 33 forks source link

Using the collateral assets' oracle price at 100% of its value to mint DSC without a fee can be used for arbitrage #1079

Closed codehawks-bot closed 1 year ago

codehawks-bot commented 1 year ago

Using the collateral assets' oracle price at 100% of its value to mint DSC without a fee can be used for arbitrage

Severity

Medium Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-07-foundry-defi-stablecoin/blob/d1c5501aa79320ca0aeaa73f47f0dbc88c7b77e2/src/DSCEngine.sol#L135-L142

Summary

Allowing users to mint DSC by utilizing the collateral assets at 100% of their value, as determined by the oracle price and without imposing any fees, exposes the system to potential arbitrage exploits.

Vulnerability Details

The Oracle price can not be trusted as the real-time price.

For instance, on the miannet platform, the BTC/USD and ETH/USD price feeds have a "Deviation threshold" of 0.5%. This means that the price update will only occur once the price movement exceeds 0.5% within the specified heartbeat period.

Suppose the initial price point for WETH is 500 USD. In that case, the oracle price will only update if the price rises above 502 USD or falls below 498 USD.

Impact

When the market price of WETH is below the oracle price. In such a scenario, an individual can mint 500 DSC by using just 1 WETH. Consequently, the collateral's quality for DSC continuously decreases.

Tools Used

Manual Review

Recommendations

Consider implementing a minting fee ranging from 0.5% to 1%. This fee should be set higher than the deviation threshold.

hans-cyfrin commented 1 year ago

It requires to be 200% collateralized.