The DSCEngine contract uses a BTC/USD Chainlink oracle to determine the price of Wrapped Bitcoin (WBTC). This approach could potentially lead to significant issues if WBTC were to depeg from Bitcoin (BTC). In such a case, WBTC would no longer maintain a 1:1 value ratio with BTC, potentially leading to incorrect valuations of the asset. This could allow borrowing against a devalued asset and the accumulation of bad debt.
Vulnerability Details
The DSCEngine contract retrieves the price of WBTC using a BTC/USD Chainlink oracle. While this approach is generally correct (as WBTC is supposed to represent a 1:1 value ratio with BTC), it might lead to issues if WBTC were to depeg from BTC due to problems with the WBTC issuance or redemption process.
function getUsdValue(address token, uint256 amount) public view returns (uint256) {
AggregatorV3Interface priceFeed = AggregatorV3Interface(s_priceFeeds[token]);
(, int256 price,,,) = priceFeed.staleCheckLatestRoundData();
// 1 ETH = $1000
// The returned value from CL will be 1000 * 1e8
return ((uint256(price) * ADDITIONAL_FEED_PRECISION) * amount) / PRECISION;
}
In this function, priceFeed is a reference to a BTC/USD Chainlink oracle. The function simply retrieves the latest BTC price and returns it as the WBTC price.
Impact
The contract might over- or under-value WBTC, which could lead to incorrect collateral ratios. If the contract allows users to borrow against devalued WBTC, it could accumulate bad debt.
Tools Used
Manual review
Recommendations
A dual oracle system for pricing WBTC is suggested. This setup would use both the BTC/USD Chainlink oracle and another on-chain liquidity-based oracle, such as UniV3 TWAP.
The dual oracle system serves two main roles:
It lowers the chance of price manipulation by using the Chainlink oracle, which provides accurate WBTC pricing.
It provides a safety net against WBTC depegging by including an on-chain liquidity-based oracle. If the price from the liquidity-based oracle deviates from the Chainlink oracle's price (e.g., drops by 2%), the system could stop borrowing activities.
Risk of incorrect WBTC pricing due to possible WBTC depegs from BTC
Severity
Medium Risk
Relevant GitHub Links
https://github.com/Cyfrin/2023-07-foundry-defi-stablecoin/blob/main/src/libraries/OracleLib.sol#L21-#L33
Summary
The
DSCEnginecontract uses aBTC/USDChainlink oracle to determine the price of Wrapped Bitcoin (WBTC). This approach could potentially lead to significant issues if WBTC were to depeg from Bitcoin (BTC). In such a case, WBTC would no longer maintain a 1:1 value ratio with BTC, potentially leading to incorrect valuations of the asset. This could allow borrowing against a devalued asset and the accumulation of bad debt.Vulnerability Details
The
DSCEnginecontract retrieves the price of WBTC using aBTC/USDChainlink oracle. While this approach is generally correct (as WBTC is supposed to represent a 1:1 value ratio with BTC), it might lead to issues if WBTC were to depeg from BTC due to problems with the WBTC issuance or redemption process.In this function, priceFeed is a reference to a
BTC/USDChainlink oracle. The function simply retrieves the latest BTC price and returns it as the WBTC price.Impact
The contract might over- or under-value WBTC, which could lead to incorrect collateral ratios. If the contract allows users to borrow against devalued WBTC, it could accumulate bad debt.
Tools Used
Manual review
Recommendations
A dual oracle system for pricing WBTC is suggested. This setup would use both the
BTC/USDChainlink oracle and another on-chain liquidity-based oracle, such as UniV3 TWAP.The dual oracle system serves two main roles: