Summary

When calling the WSTETH_ETH_CHAINLINK_PRICE_AGGREGATOR (0x86392dC19c0b719886221c78AB11eb8Cf5c52812, which is actually the stEth-Eth chainlink aggregator) to determne the stEth - Eth price, the FOUR_DAY_TIMEOUT constant is used to determine if the returned price is stale or not. FOUR_DAY_TIMEOUT is set to 345600 seconds (4 days) which is four times longer than the Chainlink heartbeat of the WSTETH_ETH_CHAINLINK_PRICE_AGGREGATOR, introducing a significant delay in recognizing stale or outdated price data.

Vulnerability Details

When the migration to wstETh is finished, during the process of minting new fertilizer, the function LibChainlinkOracle.checkForInvalidTimestampOrAnswer is called to determine if the price provided by the oracle is invalid:

The function checks if the difference between the currentTimestamp and the timestamp is greater than maxTimeout to ensure the given answer is not stale:

The problem is that the used maxTimestamp is the constant FOUR_DAY_TIMEOUT which is 345.600 seconds (4 days) but the heartbeat of the WSTETH_ETH_CHAINLINK_PRICE_AGGREGATOR is only 1 day. This can result in a stale price not been recognized for 3 day.

Impact

The Chainlink heartbeat indicates the expected frequency of updates from the oracle. The Chainlink heartbeat on Ethereum for stEth/Eth is 86.400 seconds (1 day).

https://data.chain.link/feeds/ethereum/mainnet/steth-eth

The FOUR_DAY_TIMEOUT which is 345600 seconds (4 days).

Checking the staleness of the oracle answer using FOUR_DAY_TIMEOUT which is significantly longer than the heartbeat can lead to scenarios where the LibChainlinkOracle library accepts data that may no longer reflect current market conditions. Also, in volatile markets, a 4-day window leads to accepting outdated prices, increasing the risk of price slippage.

Tools Used

Manual Review

Recommendations

Reduce the FOUR_DAY_TIMEOUT to 1 day to align with the Chainlink heartbeat of the WSTETH_ETH_CHAINLINK_PRICE_AGGREGATOR on Ethereum, ensuring the received data is up to date and not stale.