santiellena - USDbC (Bridged USDC on Base) may cause insolvency in the protocol if it deppegs from USDC

[sherlock-admin2]

santiellena

medium

USDbC (Bridged USDC on Base) may cause insolvency in the protocol if it deppegs from USDC

Summary

Failure to use a correct oracle address can cause unexpected pricing behavior in the USDbC pool.

Vulnerability Detail

The lack of a Chainlink Price Feed for USDbC and the decision to use the USDC Price Feed for the token, in the case of a depeg of the bridged token from USDC, users will be able to arbitrage with other protocols taking debt at a non-real price.

Impact

This potential depeg, as the protocol won't be able to handle it, may cause a drain of the tokens from the pool.

Code Snippet

As written in accounts-v2/test/fork/asset-modules/stargate/USDbCPool.fork.t.sol line 38-40: https://github.com/sherlock-audit/2023-12-arcadia/blob/main/accounts-v2/test/fork/asset-modules/stargate/USDbCPool.fork.t.sol#L38-L40

It is clear that the intentions are to use USDC oracle for USDbC.

Similar issues:

• https://github.com/code-423n4/2022-12-tigris-findings/issues/462
• https://github.com/code-423n4/2022-09-canto-findings/issues/73

Tool used

Manual Review

Recommendation

Avoid using tokens that don't have an available oracle.

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

[nevillehuang]

Invalid, agree with sponsors comments:

• There is no (and there will not be) a separate oracle for USDbC on Base (this was confirmed with Chainlink, Circle and Base). Circle wants to phase out USDbC
• Has to be taken into account in appropriate risk factors (maxExposure + risk factors)