Attacker can extract value from protocol if WBTC depegs from BTC as Oracle prices WBTC using BTC/USD
Summary
Attacker can extract value from the protocol if WBTC depegs from BTC as protocol uses native BTC/USD price feed to price WBTC.
Vulnerability Details
Users can deposit a wrapped asset such as WBTC (wrapped BTC) and mint against it, but the protocol uses Chainlink's native BTC/USD feed to price WBTC.
If WBTC depegs from BTC (as has happened to other wrapped tokens during bridge hacks), the protocol will continue to price WBTC using the BTC/USD price, even though WBTC will very quickly become worth far less than native BTC.
An attacker could:
buy WBTC on a decentralized exchange for a far lower value than native BTC,
deposit WBTC into the protocol,
mint DSC against their WBTC using the full value of native BTC,
swap DSC for USDC or other stablecoin,
allow their WBTC position to be liquidated since it is worth far less than the protocol believes.
Impact
Attacker can extract value from the protocol in the event WBTC depegs from BTC.
Tools Used
Manual
Recommendations
To help address this issue the protocol could use Chainlink's WBTC/BTC price feed to monitor for a depeg event and/or another data source like UniwapV3 TWAP.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.