15,000 USDC
View results
Submission Details
Severity: medium
Valid

Attacker can extract value from protocol if WBTC depegs from BTC as Oracle prices WBTC using BTC/USD

Summary

Attacker can extract value from the protocol if WBTC depegs from BTC as protocol uses native BTC/USD price feed to price WBTC.

Vulnerability Details

Users can deposit a wrapped asset such as WBTC (wrapped BTC) and mint against it, but the protocol uses Chainlink's native BTC/USD feed to price WBTC.

If WBTC depegs from BTC (as has happened to other wrapped tokens during bridge hacks), the protocol will continue to price WBTC using the BTC/USD price, even though WBTC will very quickly become worth far less than native BTC.

An attacker could:

  • buy WBTC on a decentralized exchange for a far lower value than native BTC,

  • deposit WBTC into the protocol,

  • mint DSC against their WBTC using the full value of native BTC,

  • swap DSC for USDC or other stablecoin,

  • allow their WBTC position to be liquidated since it is worth far less than the protocol believes.

Impact

Attacker can extract value from the protocol in the event WBTC depegs from BTC.

Tools Used

Manual

Recommendations

To help address this issue the protocol could use Chainlink's WBTC/BTC price feed to monitor for a depeg event and/or another data source like UniwapV3 TWAP.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.