Possible arbitrage from Chainlink price discrepancy
Summary
Intrinsic arbitrage between assets due to price feed deviation threshold
Vulnerability Details
Currently protocol relies on the following chainlink price feeds in order to calculate MinimumAmountOut:
ETH/USD Deviation:0.05% Heartbeat:86400s
WBTC/USD Deviation:0.05% Heartbeat:86400s
LINK/USD Deviation:0.2% Heartbeat:3600s
PAXG/USD Deviation:0.5% Heartbeat:86400s
EUR/USD Deviation:0.1% Heartbeat:3600s
When collateralValueMinusSwapValue < requiredCollateralValue, the protocol calls calculator.eurToToken() to calculate the MinimumAmountOut. The calculation method is as follows
The protocol first fetches the price tokenUsdPrice of the token, then obtains the price eurUsdPrice of EUR. The calculation is performed as follows: _eurValue * eurUsdPrice / tokenUsdPrice.
This is correct in theory, but in practice the price feeds are slightly inaccurate. Chainlink has a deviation threshold of up to 0.5% or so, which means that it will not update the price unless the true price deviates at least 0.5%. Thus the price feeds mayncrease by up to 0.5%.
Note that for a normal single asset vault the price doesn't matter; it is merely a conversion factor. But when we have multiple assets the price does matter and must be carefully chosen such that one cannot profit by swap.
If eurUsdPrice decreases by 0.1%, and tokenUsdPrice increases by 0.5%, the final calculated value will deviate from the expected result, causing the minimumAmountOut value to be smaller, creating arbitrage opportunities.
Impact
The owner is susceptible to arbitrage during exchanges
Tools Used
Vscode
Recommendations
I was thinking about utilizing multiple price oracles, which could potentially close any profitable opportunities
Lead Judging Commences
Chainlink-price
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.