Dangerous hardcoded stablecoin to 1 USD

[hats-bug-reporter[bot]]

Github username: @chewonithard Submission hash (on-chain): 0x04a260b17297f7f32568f55d62e495b35db8f4fcbbeadc031e0a10acc029762c Severity: medium

Description: Description\ In CvgOracle.sol, getAndVerifyOracleAndAggregatorPrices hardcodes stablecoin values to 1 which is a dangerous practice that should be avoided.

(uint256 poolOraclePrice, bool isEthVerified) = oracleParams.isStable
            ? (10 ** 18, true)
            : _getPriceOracle(erc20Address);

While the team verifies the price against a Chainlink price, if the threshold (delta) is not met, there could still be repercussions.

In config.js we can see the team expects to set oracleParams.deltaAggregatorCvgOracle to 10%. This would potentially allow a depeg of up to 10% which is very severe for a stablecoin. USDC severe depeg in 2023 was a drop to $0.87.

Attack Scenario\ getAndVerifyOracleAndAggregatorPrices is used in Ibo.sol to calculate depositedUsdValue. If the deposit was in a Frax or DAI, this would allow a user to purchase bonds at a greater discount than intended

Recommendation Use stablecoin coin price from Chainlink (but also address the other issues around stale or incorrect price from Chainlink).

[walk-on-me]

Hello, Thanks a lot for your attention.

In fact we are, by design taking 1USD as the price of the Stable bond we'll create. I do agree with you it'd be a problem if a stable goes to 0.5$, an user would be able to have x2 CVG on the deposit.

But we are verfifing the price of those Stable coins through a Chainlink Oracle. If the price returned by the aggregator is less or more than deltaAggregator % ( that'll be setup at 0.5% ) The deposit will fail on the "LIMIT_TOO_LOW" or "LIMIT_TOO_HIGH"

We have so to consider the issue as Invalid