Beanstalk Part 2
Beanstalk
DeFiHardhat
35,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

`LibFertilizer::beginBarnRaiseMigration` lacks proper oracle support verification, risking depegging

n0kto

Description

In LibFertilizer::beginBarnRaiseMigration, called during migrations, the protocol attempts to retrieve the price of the non-Bean token in the Well pool using Chainlink oracles.

// Check that Lib Usd Oracle supports the non-Bean token in the Well.
LibUsdOracle.getTokenPrice(address(tokens[tokens[0] == C.bean() ? 1 : 0]));

However, this function does not revert if the oracle doesn't support the token; instead, it returns 0. This behavior come from LibChainlinkOracle::getPrice, which returns 0 instead of reverting in case of an error, and all other functions on the path return 0 if LibChainlinkOracle::getPrice returns 0.

Risk

Likelyhood: Low

  • Occurs during any barn migration if the aggregator address is incorrect or the oracle is unresponsive.

Impact: High

  • All tests will pass, leading the protocol to assume smooth migration.

  • If a non-Bean token lacks a functional oracle link, it will disrupt the entire protocol as it's used to peg the Bean price.

Recommended Mitigation

Verify the return value and revert if it's 0:

-LibUsdOracle.getTokenPrice(address(tokens[tokens[0] == C.bean() ? 1 : 0]));
+uint price = LibUsdOracle.getTokenPrice(address(tokens[tokens[0] == C.bean() ? 1 : 0]));
+if(price == 0){
+ revert("Oracle does not return any price");
+}
Updates

Lead Judging Commences

giovannidisiena Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

Informational/Invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.