Skip to content

Latest commit

 

History

History
47 lines (29 loc) · 1.49 KB

074.md

File metadata and controls

47 lines (29 loc) · 1.49 KB

peanuts

high

StableOracleWBTC.sol does not use the WBTC/USD pricefeed

Summary

The priceFeed in the constructor of StableOracleWBTC.sol is the ETH/USD feed, not WBTC/USD feed. getPriceUSD() will return the price of ETH instead of WBTC.

Vulnerability Detail

The priceFeed in StableOracleWBTC.sol uses 0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419, which is the ETH/USD price feed. Ref: https://data.chain.link/ethereum/mainnet/crypto-usd/eth-usd

contract StableOracleWBTC is IStableOracle {
    AggregatorV3Interface priceFeed;

    constructor() {
        priceFeed = AggregatorV3Interface(
            0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419
        );
    }

Impact

The getPriceUSD() of StableOracleWBTC.sol will return the ETH price in USD instead of the WBTC price

Code Snippet

https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleWBTC.sol#L12-L19

Tool used

Manual Review

Recommendation

Use the proper contract address. Recommend using the wBTC/BTC and BTC/USD price feeds together (Chainlink does not have a wBTC/USD price feed) and do the appropriate conversion instead of just BTC/USD price feed because wBTC may depeg from BTC, making BTC/USD price feed unreliable to read WBTC prices.

wBTC/BTC: 0xfdfd9c85ad200c506cf9e21f1fd8dd01932fbb23 https://data.chain.link/ethereum/mainnet/crypto-other/wbtc-btc

BTC/USD: 0xf4030086522a5beea4988f8ca5b36dbc97bee88c https://data.chain.link/ethereum/mainnet/crypto-usd/btc-usd