Beanstalk Part 2

Beanstalk

DeFiHardhat

35,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

`getUsdPrice` can be manipulated by malicious user to get TWAP benefiting his actions

0xtheblackpanther

Summary

The getUsdPrice function retrieves the price of a specified token in USD, with an optional parameter called lookback to determine the time window for calculating the Time-Weighted Average Price (TWAP). However, there is no check in the function to handle cases where the lookback parameter is set to a value less than or equal to 900 seconds, as recommended in the code comments. This oversight could potentially lead to price manipulation.

Code comments says:

/**

* @dev Returns the price of a given token in in USD with the option of using a lookback. (Usd:token Price)

* `lookback` should be 0 if the instantaneous price is desired. Otherwise, it should be the

* TWAP lookback in seconds.

* If using a non-zero lookback, it is recommended to use a substantially large `lookback`

* (> 900 seconds) to protect against manipulation. // @audit

Impact

If the lookback parameter is set to a value greater than 0 but less than or equal to 900 seconds, it opens up the possibility of price manipulation within that specific time window. For instance, a shorter time window allows potential hackers to influence the price within that period, leading to a manipulated price. This could undermine the reliability of the oracle and affect individuals relying on its price data for decision-making.

Recommendation

Implement a check in the getUsdPrice function to ensure that the lookback parameter is greater than 900 seconds, as advised in the code comments.

For example you can add a check like below:

function getUsdPrice(address token, uint256 lookback) internal view returns (uint256) {

require(lookback > 900, "Lookback should be greater than 900 seconds to protect against manipulation.");

// Function implementation...

}

Updates

Lead Judging Commences

giovannidisiena Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

Informational/Invalid

0xtheblackpanther Submitter

over 1 year ago

giovannidisiena Lead Judge

over 1 year ago

giovannidisiena Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

Informational/Invalid

Prize pool breakdown

Total prize

35,000 USDC

nSLOC

1,991

18 USDC / LOC

High Medium

30,000 USDC

Low

1,500 USDC

Judges

3,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.