Breeje - `DepositVault` will allow minting excessive `mToken` to User in case of WBTC Depeg event

[sherlock-admin4]

Breeje

Medium

DepositVault will allow minting excessive mToken to User in case of WBTC Depeg event

Summary

DepositVault will allow minting excessive mToken to User in case of WBTC Depeg event.

Root Cause

• The DepositVault contract relies on the USD value of deposited tokens to calculate the mintAmount of mTokens.

• The current DataFeed implementation fails to account for potential WBTC depegging.

• This flaw in the price feed causes inaccurate mToken calculations, potentially allowing users to mint more mTokens than they should receive.

As the severe impact clearly falls on the contract in scope, submitting this issue.

Internal pre-conditions

None.

External pre-conditions

1. WBTC depegs from BTC from 1:1 ratio, similar to the USDC depeg event in March 2023.

Attack Path

1. Alice deposits 0.1 WBTC (worth $6,000 at the time) using the depositInstant function.

2. The _calcAndValidateDeposit function calls _convertTokenToUsd to determine the token's USD value and the current rate.

3. _getTokenRate retrieves the value from Chainlink via IDataFeed(dataFeed).getDataInBase18().

4. The DataFeed contract is implemented as follows:

    function getDataInBase18() external view returns (uint256 answer) {
        (, answer) = _getDataInBase18();
    }

    function _getDataInBase18()
        private
        view
        returns (uint80 roundId, uint256 answer)
    {
        uint8 decimals = aggregator.decimals();
        (uint80 _roundId, int256 _answer, , uint256 updatedAt, ) = aggregator
            .latestRoundData();
        require(_answer > 0, "DF: feed is deprecated");
        require(block.timestamp - updatedAt <= healthyDiff && _answer >= minExpectedAnswer && _answer <= maxExpectedAnswer, "DF: feed is unhealthy");
        roundId = _roundId;
        answer = uint256(_answer).convertToBase18(decimals);
    }

5. Since there is no direct WBTC/USD Feed available from chainlink on Ethereum and given DataFeed uses only 1 feed, it is expected to use BTC/USD feed instead.

6. During a WBTC depeg, the DepositVault will still receive the unchanged BTC/USD value, ignoring the devaluation of WBTC.

7. As a result, the mintAmount of mTokens issued to the user remains inflated, allowing the user to exploit the difference by depositing undervalued WBTC and receiving excessive mTokens.

Impact

Depositors will get excessive mToken than intended in case of WBTC Depeg.

PoC

No response

Mitigation

Straightforward mitigation is to Update the Chainlink retrieval method to use both the WBTC/BTC Price Feed and BTC/USD Price Feed to derive the accurate WBTC/USD price.

[sherlock-admin3]

1 comment(s) were left on this issue during the judging contest.

merlinboii commented:

Low at best as the price received from feed has min/max validation and the admin can control over the price using the manually submission via the custom aggreator