[M] Hardcoded FOUR_DAY_TIMEOUT in LibChainlinkOracle results in incorrect valuations for deltaB and Fertilizer issuance.
Summary
Beanstalk uses the Chainlink oracle to derive the deltaB of wstETH:BEAN well for minting and converts, plus
to also ascertain the amount of Fertilizer issued to a fertilizer buyer.
However, a specific constant within the LibChainlinkOracle library, FOUR_DAY_TIMEOUT (set to 345,600 seconds),
dictates the maximum allowable age for oracle price data before it is considered outdated, which doesn't align with the actual heartbeat of the Chainlink oracle, which is set to 24 hours.
https://data.chain.link/feeds/ethereum/mainnet/steth-eth
Vulnerability Details
The discrepancy between the FOUR_DAY_TIMEOUT and Chainlink's actual update frequency introduces a potential
vulnerability, where price data up to four days old could be used.
We know below that maxTimeout == FOUR_DAY_TIMEOUT(345,600 seconds) and currentTimestamp is the current time.
Impact
There will be a significant deviation from the actual frequency of updates from the stETH:ETH Oracle, considering its at around 24 hours per update.
The utilization of outdated price data due to the FOUR_DAY_TIMEOUT can have several adverse effects on
Beanstalk protocol and its users, including inaccurate deltaB`` calculations of the wstETH:BEAN`` well for minting/converts, and incorrect Fertilizer issuance to buyers.
Tools Used
Manual Review
Recommendations
Reduce the FOUR_DAY_TIMEOUT Value. Align the timeout value more closely with the actual update frequency of
Chainlink oracles to ensure that only current and relevant price data is utilized in protocol operations.
Lead Judging Commences
Chainlink timeout
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.