Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Incompatibility of `ChainlinkUtil.sol` with `WSTETH` and `WEETH` Price Feeds on `Arbitrum`

0xshoonya

Summary

The ChainlinkUtil.sol contract is designed to work with USD-denominated price feeds. However, on Arbitrum, WSTETH and WEETH only have ETH-denominated price feeds available. This mismatch creates an incompatibility that could lead to incorrect price data being used in the protocol causing severe mispricing of these assets.

Vulnerability Details

The ChainlinkUtil.sol contract, specifically the getPrice function, assumes that all price feeds are denominated in USD. This assumption is incompatible with the reality of WSTETH and WEETH price feeds on Arbitrum.

...snip...

try priceFeed.latestRoundData() returns (uint80, int256 answer, uint256, uint256 updatedAt, uint80) {

if (block.timestamp - updatedAt > priceFeedHeartbeatSeconds) {

revert Errors.OraclePriceFeedHeartbeat(address(priceFeed));

}

IOffchainAggregator aggregator = IOffchainAggregator(priceFeed.aggregator());

int192 minAnswer = aggregator.minAnswer();

int192 maxAnswer = aggregator.maxAnswer();

if (answer <= minAnswer || answer >= maxAnswer) {

revert Errors.OraclePriceFeedOutOfRange(address(priceFeed));

}

price = ud60x18(answer.toUint256() * 10 ** (Constants.SYSTEM_DECIMALS - priceDecimals));

Chainlink does not provide USD-denominated price feeds for WSTETH and WEETH on Arbitrum. The available price feeds for these assets on Arbitrum are ETH-denominated (WSTETH/ETH and WEETH/ETH).

Since ChainlinkUtil.sol::getPrice only supports single asset price data, so the current implementation does not account for this difference in denomination.

Impact

Impact: High

Likelihood: High

The protocol will use incorrect price data for Liquid Restaking tokens like WSTETH and WEETH, leading to mispricing of these assets as margin collateral.

Tools Used

Manual Review

Recommendations

Implement Multi-Step Price Calculation specifically for WSTETH and WEETH

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Some in-scope tokens don't have Chainlink feeds on Arbi

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.