Chainlink price feed uses BTC/USD feed instead of one with WBTC

[c4-bot-9]

Lines of code

https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/price_feed/CoreChainlinkFeed.sol#L21

Vulnerability details

Impact

In the event of a WBTC depeg, users can perform arbitrages against the protocol, as the actual price of WBTC will be lower than the protocol expects.

WBTC depeg is not theorical. It has already happened not so long ago, up to 2% down of the price of BTC. Ref#1 | Ref#2

Proof of Concept

The Chainlink price feed is using the BTC/USD price:

CHAINLINK_BTC_USD = AggregatorV3Interface(_CHAINLINK_BTC_USD);

CoreChainlinkFeed.sol#L21

As BTC is not native in Ethereum, a wrapped version WBTC is used in the protocol.

The problem is that WBTC can depeg from BTC, as shown on the links in the Impact section.

This means that in case of a depeg the getPriceBTC() will continue to report the same price (despite the WBTC token will actually have a lower price).

This is used by the price aggregator, which will report an incorrect price to the CollateralAndLiquidity function to get the underlying value in USD.

The protocol will consider that the collateral is worth more than its real value, allowing arbitragers to:

• Borrow more USDS than they should
• Make positions more difficult to liquidate
• Allow users to withdraw more collateral than they should

Recommended Mitigation Steps

Calculate the actual price of WBTC, combining WBTC/BTC + BTC/USD feeds.

Have in mind the differences in heartbeat, deviation, and decimals of the WBTC/BTC feed.

Assessed type

Oracle

[c4-judge]

Picodes marked the issue as primary issue

[c4-sponsor]

othernet-global (sponsor) acknowledged

[c4-judge]

Picodes marked the issue as satisfactory

[c4-judge]

Picodes marked issue #787 as primary and marked this issue as a duplicate of 787