Beanstalk Part 2
Beanstalk
DeFiHardhat
35,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

``getWstethEthPrice()`` function of ``LibWstethEthOracle`` uses invalid timeout for ``STETH/ETH`` chainlink price feed.

0xsandy

Summary

getWstethEthPrice() function of LibWstethEthOracle uses invalid timeout for STETH/ETH chainlink price feed.

Vulnerability Details

getWstethEthPrice() function uses LibChainlinkOracle.FOUR_DAY_TIMEOUT as timeout for STETH/ETH price feed which equals to 345600 seconds or 4 days. But the heartbeat of the STETH/ETH price feed is 86400 seconds. Thus, it introduces a significant delay in recognizing stale or outdated price data.

function getWstethEthPrice(uint256 lookback) internal view returns (uint256 wstethEthPrice) {
uint256 chainlinkPrice = lookback == 0
? LibChainlinkOracle.getPrice(WSTETH_ETH_CHAINLINK_PRICE_AGGREGATOR, LibChainlinkOracle.FOUR_DAY_TIMEOUT)
: LibChainlinkOracle.getTwap(
WSTETH_ETH_CHAINLINK_PRICE_AGGREGATOR, LibChainlinkOracle.FOUR_DAY_TIMEOUT, lookback
);
...
./LibChainlinkOracle.sol
uint256 constant FOUR_DAY_TIMEOUT = 345600;

Impact

Timeout significantly longer than heartbeat can lead to scenarios where LibChainlinkOracle accepts data that may no longer reflect current market conditions. Also, in volatile markets, a 4-day window leads to accepting outdated prices, increasing the risk of price slippage.

Tools Used

Manual Review

Recommendations

Consider using timeout value as close to heartbeat of the STETH/ETH chainlink price feed as possible.

Updates

Lead Judging Commences

giovannidisiena Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

Chainlink timeout

0xsandy Submitter
over 1 year ago
giovannidisiena Lead Judge
over 1 year ago
giovannidisiena Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

Chainlink timeout

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.