Fix WBTC FiRM Price Feed and Return Whitehat Funds
Background
Proposal 278 aimed to standardize the price feeds for WETH and WBTC by leveraging the ChainlinkBridgeAssetFeed logic.
Shortly after the proposal was executed, contributors identified an error in the tokenDecimals parameter for WBTC that caused the FiRM oracle to underprice WBTC significantly. Three users with open debt positions in the WBTC market were affected. In response, a proactive whitehat intervention was carried out by TWG in the amount of 5.68 WBTC to secure the at-risk funds.
Root Cause
The tokenDecimals value for WBTC was incorrectly set to 18, the standard for most ERC20 tokens used in FiRM. However, WBTC is a non-standard ERC20 with 8 decimals. This misconfiguration caused the price feed to understate WBTC’s value in DOLA terms by a factor of 10¹⁰.
Process Improvements Going Forward
This incident is a reminder that even with thorough contributor diligence and proof-of-review processes, human error remains a risk and requires stronger automated validation tools and more structured “sanity checks” in the short term, while minimizing direct human intervention in critical parameter settings in the long term.
Further improvements to the pre-proposal internal review processes include:
Proof-of-Review Process Enhancement
A new Proof-of-Review (PoR) system is being introduced that will incorporate sanity check hooks, and fork testing (depending on the proposal type). These could include verifying that the Oracle and BorrowController are the latest versions, confirming that the price moves correctly with the underlying oracle feeds, and ensuring that the price, liquidation parameters, and minimum debt parameter are all within reasonable bounds. This new PoR system will require UI-enforced sign-offs from a member of the Risk Working Group, the Product Working Group involved in contract deployment, and a governance delegate. Any proposal that could impact user funds will have to pass these new formalized checkpoints before they can be submitted.
UI-Linked Risk Signaling
We recognize that UI elements on our governance site intended to make proposal on-chain action setting and reading more human-friendly can give reviewers false confidence. The Risk and Product Working Group will work closely to introduce explicit warnings and parameter previews for on-chain proposals, tying in the PoR system and making discrepancies more obvious at the point of review. One example includes a UI preview for FiRM-related proposals that displays post-simulation positions and market data.
Contract-Level Guards (Long-Term)
In future iterations of FiRM, governance-controlled price feed updates and other sensitive parameter changes will be restricted or gated by contract-level sanity checks. These restrictions will reject extreme or suspicious values automatically, reducing the probability of human error affecting live markets.
Resolution Plan: Feed Fix and Return of Funds
Since 100% of the at-risk funds were successfully secured through whitehat efforts, all three impacted users can be fully restored to their pre-incident state once the feed is corrected.
The following actions will resolve the issue:
- Correct the WBTC feed on FiRM by updating tokenDecimals to 8.
- Return WBTC to the affected users’ FiRM PCE addresses:
- Return 0.97806938 WBTC to 0x5e5d086781Ec430E56bd4410b0Af106B86292339
- Return 3.59144374 WBTC to 0x52555b437EeE8F55a7897B4E1F8fB3e7Edb2b344
- Return 1.11234807 WBTC to 0xE58ED128325A33afD08e90187dB0640619819413
These steps will fully restore user balances and ensure the WBTC market is functioning correctly.
UI Sim screenshot of the above actions executed:
