yixxas - Assumption that 1 USDC = 1 USD is extremely dangerous in the event of a depeg of USDC

[github-actions]

yixxas

high

Assumption that 1 USDC = 1 USD is extremely dangerous in the event of a depeg of USDC

Summary

We should not assume that 1 USDC = 1 USD all the time and its value should be checked with an oracle. In recent times, USDT has depegged to about $0.93 temporarily during the FTX crisis. Should this happen to USDC, borrowers can make use of this depeg event, buy USDC at a price lower than $1, and use it to borrow other assets. User can drain other assets from the protocol and devalue isoUSD as long as the difference in price of USDC from its $1 value is more than the allowed borrow margin.

Vulnerability Detail

The value of USDC is assumed to be $1 in DepositReceipt#PriceLiquidity. This value is then used by Vault_Velo#totalCollateralValue to measure the collateral value of USDC available in the liquidity pool. Even if current price of USDC is no longer $1 on the market, it will still compute its value at $1. User can then use this inflated value to openLoan() and borrow isoUSD, then use this isoUSD to borrow other assets and drain the protocol.

Impact

Impact is severe here even if USDC depegs. Assuming that only USDC depegs, the protocol can be drained of its other stable assets as users make use of this arbitrage opportunity. This drain is controlled by the maximum amount of loaned allowed each day.

Code Snippet

https://github.com/sherlock-audit/2022-11-isomorph/blob/main/contracts/Velo-Deposit-Tokens/contracts/DepositReceipt_USDC.sol#L75-L103
https://github.com/sherlock-audit/2022-11-isomorph/blob/main/contracts/Isomorph/contracts/Vault_Velo.sol#L352-L363

Tool used

Manual Review

Recommendation

Use an oracle to determine the price of USDC instead of assuming 1 USDC = 1 USD.

Duplicate of #224