Wrong address for `BTC/USD` Chainlink aggregator contract

Summary

Wrong address for BTC/USD Chainlink aggregator contract.

Vulnerability Detail

In the constructor of StableOracleWBTC.sol priceFeed is initialized with the address 0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419. This is the address of the ETH/USD aggregator, not the WBTC/USD.

This is a clear mistake, as in the comments we can read:

/*
    wbtc 0x2260FAC5E5542a773Aa44fBCfeDf7C193bc2C599;
    chainlink btc/usd priceFeed 0xf4030086522a5beea4988f8ca5b36dbc97bee88c;
*/

However, that is not the correct address either, as it is for the BTC/USD price feed and not WBTC/USD, and the prices of BTC and WBTC might not be the same.

Impact

Calls to StableOracleWBTC.sol:getPriceUSD() will return the wrong price, which might lead to mint and rebalance functionalities to work erratically and USSD being depegged.

Code Snippet

https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleWBTC.sol#L16-L18

Tool used

Manual Review

Recommendation

Use the correct address: 0xfdFD9C85aD200c506Cf9e21F1FD8dd01932FBB23.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

063.md

063.md

Wrong address for `BTC/USD` Chainlink aggregator contract

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation

Files

063.md

Latest commit

History

063.md

File metadata and controls

Wrong address for BTC/USD Chainlink aggregator contract

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation

Wrong address for `BTC/USD` Chainlink aggregator contract