Protocol mechanics incorrectly assume 1 crvUSD will always be worth 1 USD
Summary
The protocol mechanics assume 1 crvUSD = 1 USD
Chainlink always provide RWA prices in USD (or other currencies, but not in crvUSD. Refer a similar finding here)
Once crvUSD depegs, this creates arbitrige oppotunities and may lead to protocol insolvency/loss of user funds
Past instances in the last couple of years when crvUSD has depegged significantly:
Depegged on 3 Aug 2023 (went down
0.35%): See hereDepegged on 12 June 2024 (went up
~ $1.15): See here
Description
The _processResponse() function fetches prices from off-chain API in RAACPrimeRateOracle.sol and RAACHousePriceOracle.sol contracts which inherit BaseChainlinkFunctionsOracle.sol.
Chainlink price feeds always return RWA prices in USD. However, throughout the protocol crvUSD has been used as the basis of all calculations: for rToken, RAACToken, veRAACToken, deToken mint and burns. The protocol obviously assumes a permanent 1:1 peg between crvUSD:USD. This is not the case as shown in the aforementioned depeg events.
Such depeg can lead to significant fund loss for users as well as the protocol.
Mitigation
Consider adding an oracle to convert the prices received in USD from Chainlink APIs to crvUSD.
Lead Judging Commences
Protocol assumes 1 CRVUSD = 1 USD without using a price oracle, risking incorrect liquidations or other inacurate accounting if the stablecoin depegs
Protocol assumes 1 CRVUSD = 1 USD without using a price oracle, risking incorrect liquidations or other inacurate accounting if the stablecoin depegs
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.