Open c4-bot-7 opened 10 months ago
Picodes marked the issue as duplicate of #632
Picodes marked the issue as satisfactory
Picodes removed the grade
Picodes marked the issue as satisfactory
Picodes marked the issue as selected for report
othernet-global (sponsor) acknowledged
The stablecoin framework: /stablecoin, /price_feed, WBTC/WETH collateral, PriceAggregator, price feeds and USDS have been removed: https://github.com/othernet-global/salty-io/commit/88b7fd1f3f5e037a155424a85275efd79f3e9bf9
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/main/src/price_feed/CoreChainlinkFeed.sol#L15 https://github.com/code-423n4/2024-01-salty/blob/main/src/price_feed/CoreSaltyFeed.sol#L32-L41 https://github.com/code-423n4/2024-01-salty/blob/main/src/price_feed/PriceAggregator.sol#L108
Vulnerability details
Summary
Chainlink BTC price feed is BTC/USD, not WBTC/USD. In the event of WBTC depegging, the oracle's return price will deviate from its actual value. We also provide a real-life WBTC depegging event as evidence.
This alone is not enough for the price aggregator to return the incorrect price, as an adversary needs to manipulate two of three price feeds to manipulate the price. However, due to the aggregator design, we also make an argument that in case of actual depegging, the price will indeed be easier to manipulate.
Vulnerability details
According to the official Chainlink docs, there are four price feeds for BTC on Ethereum Mainnet:
Based on the following observations, we believe Salty will use BTC/USD on the Chainlink price feed, instead of WBTC:
Historically, WBTC has depegged down to 0.98 before, in the event of wild market swing, specifically during the LUNA crash.
This article explains some of the reasons of why WBTC can depeg.
Full oracle manipulation (PoC)
This alone is not enough to manipulate the oracle entirely, as Salty uses a triple-oracle setting, consisting of Uniswap V3 TWAP, Chainlink price, and Salty pool spot price:
However, if the Chainlink price has already deviates, then an adversary will only have to manipulate one more oracle to manipulate the price feed.
The weaker Oracle out of the remaining two is the Salty WBTC pool spot price. Assuming WBTC has already depegged, an adversary can perform the following attack to gain profit:
An attacker can also take an undercollateralized position. However, this is more difficult to profit from, as it also requires rapid market swing and the lack of liquation before the position becomes insolvent. This also requires that an attacker has large enough capital.
Impact
In the event of WBTC/BTC depeg, such as rapid market swing, the price oracle will become easier to manipulate.
Recommended mitigation steps
Collect the WBTC price from two Chainlink price feeds, the BTC/USD feed and the WBTC/BTC feed, as the source of truth.
Assessed type
Oracle