The Standard

Title:

Summary

The LiquidationPool.distributeAssets function uses the BTC/USD Chainlink oracle to price WBTC. This approach is risky if WBTC depegs from BTC, leading to WBTC not holding an equivalent value to BTC. This discrepancy can cause incorrect asset distribution.

Vulnerability Detail

The core issue stems from using a single BTC/USD Chainlink oracle to price WBTC. If the WBTC to BTC bridge is compromised, causing WBTC to depeg, its value may deviate significantly from BTC's, potentially rendering it valueless. This reliance on one oracle for WBTC pricing introduces risks to the protocol and its users.

The provided code snippet from the LiquidationPool contract highlights the mechanism for obtaining WBTC prices using the BTC/USD Chainlink oracle:

https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/LiquidationPool.sol#L205-L241

Impact

A compromised WBTC bridge or depegging from BTC would severely impact the protocol:

1. Incorrect costInEuro calculation.

2. Erroneous asset distribution.

Tools Used

Manual review

Recommendation

To address this vulnerability, implement a dual oracle system for WBTC pricing. This system should include both the BTC/USD Chainlink oracle and an additional on-chain liquidity-based oracle, like UniV3 TWAP.

This dual oracle approach serves two key purposes. It reduces the risk of price manipulation by using the Chainlink oracle for accurate WBTC pricing. Additionally, the on-chain liquidity-based oracle acts as a safeguard against WBTC depegging. By monitoring the price from this oracle and comparing it with the Chainlink oracle's price, the protocol can suspend borrowing activities if a significant deviation (e.g., 2% or more) is detected.

Implementing a dual oracle setup enhances protocol stability and mitigates the risks associated with WBTC depegging. It ensures more accurate valuations, minimizes bad debt accumulation, and protects both the protocol and its users.