No rETH/USD oracle in Base chain

Summary

Using an rETH/USDC oracle in Flat-Money is crucial because all the logic relies heavily on this type of oracle, including:

share price calculation
trading position evaluation
liquidations

Vulnerability Detail

The problem is that there is no rETH/USDC oracle deployed by Chainlink on the Base chain. One alternative is to use the rETH/ETH oracle, but it will require additional development and will impact the entire codebase due to the distinctions with the intended rETH/USDC oracle:

deviation
decimals
heartbeat
price

Also, all the formulas used through the codebase will have to be changed.

Impact

The project will not function properly because of the missing oracle, additional development will be needed and most of the logic will have to be redefined.

Code Snippet

OracleModule.sol

function _getOnchainPrice() internal view returns (uint256 price, uint256 timestamp) {
    IChainlinkAggregatorV3 oracle = onchainOracle.oracleContract;
    if (address(oracle) == address(0)) revert FlatcoinErrors.ZeroAddress("oracle");

    (, int256 _price, , uint256 updatedAt, ) = oracle.latestRoundData();
    timestamp = updatedAt;
    // check Chainlink oracle price updated within `maxAge` time.
    if (block.timestamp > timestamp + onchainOracle.maxAge)
        revert FlatcoinErrors.PriceStale(FlatcoinErrors.PriceSource.OnChain);

    if (_price > 0) {
        price = uint256(_price) * (10 ** 10); // convert Chainlink oracle decimals 8 -> 18 
    } else {
        // Issue with onchain oracle indicates a serious problem
        revert FlatcoinErrors.PriceInvalid(FlatcoinErrors.PriceSource.OnChain);
    }
}

If rETH/ETH oracle is used the least thing that will be wrong is the decimals, instead of the intended 18, it will be scaled to 36 decimals.

Tool used

Manual Review

Recommendation

Alternative is to use the rETH/ETH oracle.

Duplicate of #90

sherlock-audit / 2023-12-flatmoney-judging

SBSecurity - No rETH/USD oracle in Base chain #262