Invalid assumption that USDC is always priced the same as USD can result in invalid prices
Summary
As we saw with the downfall of Silicon Valley Bank, 1 USDC is not always priced the same as 1 USD. We saw during times that USDC was priced nearly as low as 0.90 USD/USDC. However, by comparing the ETH/USD chainlink feed against the WETH/USDC TWAP price, it's clear that this protocol is implicitly assuming that 1 USDC is priced as 1 USD. This can potentially result in invalid ETH prices being returned.
Vulnerability Details
In the baseOracleCircuitBreaker function, the TWAP price is retrieved as follows:
This returns the price of WETH in USDC and then inverts it to be USDC/WETH. This TWAP price is then potentially returned later as is, without adjusting for whether USDC and USD are equivalent. Additionally, when the ETH/USD chainlink oracle has issues, this TWAP price will be returned without any checks/reference to other prices.
Impact
Since USDC is not guaranteed to be priced the same as USD, utilizing the TWAP price directly (which is WETH/USDC) might not return the valid price for ETH/USD.
Tools Used
Manual review
Recommendations
Consider referencing the chainlink USDC/USD price when calculating the ETH price based on TWAP.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.