Summary

Beanstalk's LibChainlinkOracle library integrates Chainlink oracles to fetch ETH/USD price data for
various financial calculations within the protocol. This library employs functions like getEthUsdPrice
and getEthUsdTwap to retrieve the latest price and calculate the Time-Weighted Average Price (TWAP).
However, the current implementation does not explicitly handle or detect when Chainlink oracles become deprecated.

Vulnerability Details

The LibChainlinkOracle library relies on Chainlink's latestRoundData() and getRoundData() to fetch price data.

In scenarios where Chainlink deprecates an oracle, typically indicated by halting updates or setting the aggregator address to the zero address, these functions may revert or fail to return valid data. The library's current strategy is to return a price of 0 in case of any failure or anomaly detected during these oracle calls. While this approach prevents reverts and ensures function execution continuity, it does not specifically address the implications of relying on a deprecated oracle.

Impact

Using data from deprecated oracles can lead to inaccurate price information, affecting critical protocol functionalities like reward distributions, financial estimations, and operational decisions. This could potentially misalign incentives, affect user trust, and impact the protocol's economic mechanisms.

https://docs.chain.link/data-feeds/deprecating-feeds?network=deprecated&page=1

Tools Used

Manual Review

Recommendations

Implement a circuit breaker that pauses critical functions when an oracle feed is
found to be unreliable or deprecated. This adds a layer of security, preventing unnecessary 0 value returns.