tsvetanovv - Use Chainlink Oracle to get the USDT price because it may not always be 1 USD

[sherlock-admin]

tsvetanovv

medium

Use Chainlink Oracle to get the USDT price because it may not always be 1 USD

Summary

Use Chainlink or another Oracle to get the USDT price because it may not always be 1 USD.

Vulnerability Detail

The Unitas Protocol uses oracles built by the Unitas team. Represents a smart contract called XOracle. This Oracle system allows authorized feeders to update and retrieve price information for various assets. The prices are stored in the prices mapping, and users can access the latest price or historical price data through the provided functions.

In my opinion, it is better to use an external Oracle like Chainlink that takes the current USDT price because it is not always 1 USD and can vary.

Impact

There is a situation in which stablecoin can fall significantly.

Let's take for example the fall of about 20% of USDC -> https://coinmarketcap.com/currencies/usd-coin/

Even similar thing happened with USDT in the past -> https://coinmarketcap.com/currencies/tether/

The lack of a current USDT price could allow a malicious user to take advantage of this.

Code Snippet

https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/XOracle.sol https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/SwapFunctions.sol#L203-L239

Tool used

Manual Review

Recommendation

Add Chainlink Oracle to get the current USDT price.