There is a more efficient and secure way to compute `wstETH:ETH` price using Chainlink
Summary
The chosen stETH:ETH Chainlink Oracle has a huge heartbeat, which exposes the protocol to unnecessary risk that could be easily mitigated by chosing another path of computing the same price with two different Chainlink Oracles that have a better heartbeat.
Vulnerability Details
According to the handy comments in LibWstethEthOracle.sol the price ofwstETH:ETH is computed as follows:
Looking at the feed details on Chainlink's Price Feed page we can see the following details:
On the same page we find the following:
Changing the way the Chainlink price is computed from a * b to a * (STETH / USD) * 1/(ETH / USD)(adjusted for decimals) would yield an overall heartbeat of 3600s (1 hour) vs the existing one of 86400s (1 day).
A similar finding is available here.
Moreover there's a strong chance this was the intention of the developer given that the RFC doesn't specify the stETH:ETH Chainlink Oracle but specifies the stETH:USD Chainlink Oracle and a different method of computing the wstETH:ETH price.
Impact
Protocol could use inaccurate prices, or at least could benefit from a more accurate price feed in case the proposed changed is implemented.
Likelihood: Low to Extremely Low
Impact: The consumption of stale prices is usually Medium-High depending on how bad the consumed price is.
Overall I consider the severity Low.
Tools Used
Manual review
Recommendations
Implement the a * (STETH / USD) * 1/(ETH / USD)(adjusted for decimals) instead of wstETH -> ETH via Chainlink: a * b used currently.
Lead Judging Commences
wstETH:ETH price calculation
wstETH:ETH price calculation
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.