TWAP price uses `USDC` instead of `USD`
Summary
LibOracle.sol:getOraclePrice() can return an incorrect USD/ETH price in case the TWAP price is used, as it is using USDC instead of USD.
Vulnerability Details
LibOracle.sol:baseOracleCircuitBreaker() falls back to the TWAP price if there is an issue with the Chainlink base oracle price.
However, in this case, the WETH/USDC price is used. In the past, USDC has depegged from the dollar as much as a 3% difference and it is not unimaginable that it could depeg even more in the future. Given that these events usually happen in moments of high volatility, these are the moments when the Chainlink oracle is most likely to fail and the TWAP price is used.
The calculation of the TWAP price has also other remarkable issues.
For one, in the normalization of the price, division is performed before multiplication, which can lead to a loss of precision.
As for the liquidity check, it is only performed in the case of the Chainlink price being invalid (not in the case of it deviating too much from the previous price) and in any case, the liquidity could be manipulated with a flash loan.
Impact
The incorrect USD price can be used, which can lead to many problems, including users being required to deposit more/less collateral than expected or being liquidated when they shouldn't be.
Tools Used
Manual review.
Recommendations
Use another oracle service as a fallback or revert the transaction if the Chainlink oracle fails.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.