Beanstalk Part 2
Beanstalk
DeFiHardhat
35,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Missing the `lookback` parameter when invoking the `getWstethUsdPrice()` in the `getTokenPrice` function

0xbug

Summary

The getWstethUsdPrice() function is being called without using the lookback parameter if it's the WSTETH token.
The function uses a constant value of 0 for the lookback parameter when calling LibWstethUsdOracle.getWstethUsdPrice().
So it always returns the current spot price for wstETH.

Vulnerability Details

function getTokenPrice(address token, uint256 lookback) internal view returns (uint256) {
if (token == C.WETH) {
uint256 ethUsdPrice = LibEthUsdOracle.getEthUsdPrice(lookback);
if (ethUsdPrice == 0) return 0;
return ethUsdPrice;
}
if (token == C.WSTETH) {
uint256 wstethUsdPrice = LibWstethUsdOracle.getWstethUsdPrice(0); // @audit missing lookback?
if (wstethUsdPrice == 0) return 0;
return wstethUsdPrice;
}
revert("Oracle: Token not supported.");
}

Impact

It's always returning the current price instead of TWAP for wstETH.
This could lead to inaccurate calculations in calling this getTokenPrice for wstETH.

Tools Used

Manual review

Recommendations

It's recommended to use the lookback parameter instead of 0.
uint256 wstethUsdPrice = LibWstethUsdOracle.getWstethUsdPrice(lookback);

Updates

Lead Judging Commences

giovannidisiena Lead Judge
about 1 year ago
giovannidisiena Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Unused lookback parameter

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.