The issue highlighted a vulnerabiity in Salty's price aggregator. It's reliance on the Chainlink BTC/USD price feed, without a direct WBTC/USD counterpart, posed a vulnerability in events where WBTC depegs from BTC, as historically observed during market volatilities like the LUNA crash. The protocol's price aggregator, which selects the closest two out of three feeds (Uniswap V3 TWAP, Chainlink, and Salty's pool spot price), becomes susceptible to manipulation if WBTC's deviation leads to an inaccurate BTC/USD representation. An attacker, leveraging a flash loan, could skew Salty's pool spot price to match an already deviated Chainlink feed, tricking the aggregator into using the incorrect BTC/USD price for WBTC/USD. This could enable the attacker to unjustly liquidate positions or take undercollateralized positions
The mitigation for this issue revolved around the deprecation of number of key components including the removal of the overcollateralized USDS stablecoin framework, adding collateral, liquidations etc. Price feeds and the price aggregator as a result were also deprecated.
Lines of code
Vulnerability details
Lines of code
Vulnerability details
C4 Issue
https://github.com/code-423n4/2024-01-salty-findings/issues/60
Comments
The issue highlighted a vulnerabiity in Salty's price aggregator. It's reliance on the Chainlink BTC/USD price feed, without a direct WBTC/USD counterpart, posed a vulnerability in events where WBTC depegs from BTC, as historically observed during market volatilities like the LUNA crash. The protocol's price aggregator, which selects the closest two out of three feeds (Uniswap V3 TWAP, Chainlink, and Salty's pool spot price), becomes susceptible to manipulation if WBTC's deviation leads to an inaccurate BTC/USD representation. An attacker, leveraging a flash loan, could skew Salty's pool spot price to match an already deviated Chainlink feed, tricking the aggregator into using the incorrect BTC/USD price for WBTC/USD. This could enable the attacker to unjustly liquidate positions or take undercollateralized positions
Mitigation
https://github.com/othernet-global/salty-io/commit/8e3231d3f444e9851881d642d6dd03021fade5ed
The mitigation for this issue revolved around the deprecation of number of key components including the removal of the overcollateralized USDS stablecoin framework, adding collateral, liquidations etc. Price feeds and the price aggregator as a result were also deprecated.
Conclusion
LGTM