Hardcoded prices are prone to be abused one day

[c4-bot-8]

Lines of code

https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseOracleHub/WiseOracleHub.sol#L151-L152

Vulnerability details

Impact

Loss of protocol and user funds

Proof of Concept

The protocol returns ETH value of a given token amount in order of 1E18 decimal precision by calling getTokensInETH

Accordingly, the function gets the token address and the token amount as the input parameters, and further validations are carried out as per the input address;

Contract: WiseOracleHub.sol

143:     function getTokensInETH(
144:         address _tokenAddress,
145:         uint256 _tokenAmount
146:     )
147:         public
148:         view
149:         returns (uint256)
150:     {
151:         if (_tokenAddress == WETH_ADDRESS) { 
152:             return _tokenAmount;
153:         }
154: 
155:         uint8 tokenDecimals = _tokenDecimals[
156:             _tokenAddress
157:         ];
158: 
159:         return _decimalsETH < tokenDecimals
160:             ? _tokenAmount
161:                 * latestResolver(_tokenAddress)
162:                 / 10 ** decimals(_tokenAddress)
163:                 / 10 ** (tokenDecimals - _decimalsETH)
164:             : _tokenAmount
165:                 * 10 ** (_decimalsETH - tokenDecimals)
166:                 * latestResolver(_tokenAddress)
167:                 / 10 ** decimals(_tokenAddress);
168:     }

L: 151 checks whether the input token is WETH. If true, it returns the same _tokenAmount as the input.

Otherwise, the function carries out internal calls depending on the token decimals with the trace below;

• latestResolver ->

• Check ChainLing is dead && _validateAnswer in latestResolver ->

• Check Uniswap TWAP price && Get ChainLink Price && Compare they don´t fall outside of the price difference ratio boundaries in _validateAnswer ->

• Return Answer in _validateAnswer

However, assuming WETH:ETH peg in a 1:1 ratio might cause the protocol to be used as the arbitration point and drain ETH funds when the WETH loses its peg.

While, it may be an unreal issue for the ETH main net, the black swan events at the different chains can trigger this when the WETH is depegged at those chains. To picture this, this article from the Top #1 whitehat on Immunefi can provide the idea of how WETH can lose its peg on other chains.

No need to mention that, even the most trusted stables had depegged in the past. There was a USDC depeg last year which brought the price to 0,89 USD per USDC. As a result, DAI also depegged no matter how decentralized it is:

Tools Used

Manual Review

Recommended Mitigation Steps

we recommend not performing this equality check and querying the price the same as other tokens.

Assessed type

Oracle

[c4-pre-sort]

GalloDaSballo marked the issue as insufficient quality report

[GalloDaSballo]

Weth depeg without any homework except Pwning.eths article

[c4-judge]

trust1995 marked the issue as unsatisfactory: Invalid

[trust1995]

Weth depeg assumption is butchering the meaning of "stated hypotheticals" in the rulebook