Summary

Four_hour_timeout and Four_DAY_TIMEOUT time is too long, outdated prices can still be returned

Vulnerability Details

The Chainlink heartbeat indicates the expected frequency of updates from the oracle. The Chainlink heartbeat on Ethereum for ETH / USD is 3600 seconds (1 hour).

Please take a look：

https://data.chain.link/feeds/ethereum/mainnet/eth-usd

The problem with the code is here:

https://github.com/Cyfrin/2024-04-beanstalk-2/blob/27ff8c87c9164c1fbff054be5f22e56f86cdf127/protocol/contracts/libraries/Oracle/LibChainlinkOracle.sol#L23-L26

https://github.com/Cyfrin/2024-04-beanstalk-2/blob/27ff8c87c9164c1fbff054be5f22e56f86cdf127/protocol/contracts/libraries/Oracle/LibEthUsdOracle.sol#L46

But CHAINLINK_TIMEOUT defined in LibChainlinkOracle.sol is 14400 seconds (4 hours) and 345600 (4 days)

Impact

Even if the price is outdated (more than the normal 1 hour), the outdated price will still be obtained

an example to prove:

ETH fluctuates 10% within an hour (or two), which is common in the cryptocurrency space. The quotation at this time should be obtained within one hour (the official definition is one hour), but since the price within 2 to 4 hours is also within the 4-hour range (FOUR_HOUR_TIMEOUT), this will obtain an outdated price, causing the price to be very inaccuracy

Tools Used

Manual review

Recommendations

It should be consistent with the Heartbeat of ETH/USD

https://data.chain.link/feeds/ethereum/mainnet/eth-usd