santiellena - USDbC (Bridged USDC on Base) may cause insolvency in the protocol if it deppegs from USDC #203
Labels
Excluded
Excluded by the judge without consulting the protocol or the senior
Non-Reward
This issue will not receive a payout
Sponsor Disputed
The sponsor disputed this issue's validity
Won't Fix
The sponsor confirmed this issue will not be fixed
santiellena
medium
USDbC (Bridged USDC on Base) may cause insolvency in the protocol if it deppegs from USDC
Summary
Failure to use a correct oracle address can cause unexpected pricing behavior in the USDbC pool.
Vulnerability Detail
The lack of a Chainlink Price Feed for USDbC and the decision to use the USDC Price Feed for the token, in the case of a depeg of the bridged token from USDC, users will be able to arbitrage with other protocols taking debt at a non-real price.
Impact
This potential depeg, as the protocol won't be able to handle it, may cause a drain of the tokens from the pool.
Code Snippet
As written in
accounts-v2/test/fork/asset-modules/stargate/USDbCPool.fork.t.sol
line 38-40:https://github.com/sherlock-audit/2023-12-arcadia/blob/main/accounts-v2/test/fork/asset-modules/stargate/USDbCPool.fork.t.sol#L38-L40
It is clear that the intentions are to use USDC oracle for USDbC.
Similar issues:
Tool used
Manual Review
Recommendation
Avoid using tokens that don't have an available oracle.
The text was updated successfully, but these errors were encountered: