Steadefi

Summary

The oracle relies on BTC/USD feed to get the price of WBTC. If WBTC depegs it will introduce losses for the users (in the swaps, the part oracles are used for), which mean that the WBTC ,that is considerated centralized asset, could deviate from the price of BTC, which is decentralized.

Vulnerability Details

This vulnerability is straightforward to the point, if WBTC were to depeg it would introduce skewed oracle prices that are important for swaps.

Impact

Although the oracle addresses are not technically in scope, I believe they are because they will be used as such for the ChainLinkARBOracle feed addresses. Probably the address would have been used as such, which presents a vulnerability in the case WBTC were to depeg. Although uni swaps are out of scope, in case the the token depegs the protocol is deprived of some of his usability. Which is why the medium risk assessment is granted.

Tools Used

Manual review

other ressources such as https://thebitcoinmanual.com/articles/why-wrapped-bitcoin-depeg/

Recommendations

To mitigate this issue, introducing another oracle can be an option, such the uniswap V3 twap.
Another method, although slightly laborious, is to first rely on the WBTC/BTC feed available, to see if the difference is greater than what is deemed acceptable revert the transaction due to unacceptable prices.
Or to first use the WBTC/BTC feed then convert the value of wbtc fetched in amount of BTC's and convert it to USD with the BTC/USD feed.