Beanstalk Part 2

Beanstalk

DeFiHardhat

35,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

``LibWstethEthOracle`` has no ``minAnswer`` check implemented for ``getWstethEthPrice()`` function.

0xsandy

Summary

LibWstethEthOracle has no minAnswer implemented for getWstethEthPrice() function.

Vulnerability Details

getWstethEthPrice() function uses getPrice() function from the LibChainlinkOracle.

./LibWstethEthOracle

function getWstethEthPrice(uint256 lookback) internal view returns (uint256 wstethEthPrice) {

uint256 chainlinkPrice = lookback == 0

? LibChainlinkOracle.getPrice(WSTETH_ETH_CHAINLINK_PRICE_AGGREGATOR, LibChainlinkOracle.FOUR_DAY_TIMEOUT)

: LibChainlinkOracle.getTwap(

WSTETH_ETH_CHAINLINK_PRICE_AGGREGATOR, LibChainlinkOracle.FOUR_DAY_TIMEOUT, lookback

);

LibChainlinkOracle#getPrice() function doesn't have any minAnswer/maxAnswer check.

./LibChainlinkOracle.sol

function getPrice(address priceAggregatorAddress, uint256 maxTimeout) internal view returns (uint256 price) {

IChainlinkAggregator priceAggregator = IChainlinkAggregator(priceAggregatorAddress);

// First, try to get current decimal precision:

uint8 decimals;

try priceAggregator.decimals() returns (uint8 _decimals) {

// If call to Chainlink succeeds, record the current decimal precision

decimals = _decimals;

} catch {

// If call to Chainlink aggregator reverts, return a price of 0 indicating failure

return 0;

}

// Secondly, try to get latest price data:

try priceAggregator.latestRoundData() returns (

uint80 roundId, int256 answer, uint256, /* startedAt */ uint256 timestamp, uint80 /* answeredInRound */

) {

// Check for an invalid roundId that is 0

if (roundId == 0) return 0;

if (checkForInvalidTimestampOrAnswer(timestamp, answer, block.timestamp, maxTimeout)) {

return 0;

}

// Adjust to 6 decimal precision.

return uint256(answer).mul(PRECISION).div(10 ** decimals);

} catch {

// If call to Chainlink aggregator reverts, return a price of 0 indicating failure

return 0;

}

Thus, during the extreme market events, there is no way to handle scenarios where the price of an asset falls outside of a predetermined price band

Impact

The Chainlink aggregator can lead to potential exploitation of price discrepancies during extreme market conditions. For instance, if the price of an asset experiences a sudden crash, the oracle may continue to provide the lower price, allowing users to conduct transactions at incorrect prices. This could result in financial losses for users and undermine the integrity of the system.

Also, when the peg loses tremendously like with the stETH/ETH peg not long after the LUNA crash. It was something like 8% loss in peg which meant you can buy stETH with a 8% discount against ETH. This situation can be prevented by adding minAnser/maxAnswer bounds.

Tools Used

Manual Analysis

Recommendations

It is recommended to enhance LibWstethEthOracle the by implementing a mechanism to check the returned answer against predefined minPrice and maxPrice bounds. If the answer falls outside of these bounds, the oracle should revert the transaction, indicating that the price data is not reliable due to market conditions.

Updates

Lead Judging Commences

giovannidisiena Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

Chainlink validation

Prize pool breakdown

Total prize

35,000 USDC

nSLOC

1,991

18 USDC / LOC

High Medium

30,000 USDC

Low

1,500 USDC

Judges

3,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.