Beanstalk: The Finale

Summary

The LibWstethEthOracle library utilizes a CHAINLINK_TIMEOUT constant set to 345,600 seconds (4 days). This duration is four times longer than the Chainlink heartbeat of 86,400 seconds (1 day), potentially introducing a significant delay in recognizing stale or outdated price data. Additionally, due to the implementation of the price retrieval mechanism in this library, it is possible that the returned wstethEthPrice often results in 0, due to deviation more than the allowed 1% tolerance from the returned TWAP price from Uniswap.

Vulnerability Details

Let's analyze the LibWstethEthOracle::getWstethEthPrice function to understand the source of this issue.

As we can see, when lookback is equal to 0, the protocol uses the LibChainlinkOracle.getPrice function with a 4-day timeout period. However, the STETH/ETH price feed's heartbeat is 1 day. This means that it is possible to receive a stale price when using the getWstethEthPrice function. A safeguard against this is the Uniswap's TWAP, ensuring that the price returned from Chainlink and Uniswap doesn't deviate more than 1%. However, due to querying a 4-day old price, it is very likely that the price deviates more than 1%, often resulting in the returned value from getWstethEthPrice being zero, as we will never enter the if statement and the returned value will be the default one for uint256.

Here is the check for 1% deviation, which will often not be entered due to the significant time gap between querying prices:

This makes functions dependent on LibWstethEthOracle::getWstethEthPrice perform operations with a 0 value.

Impact

Functions that depend on LibWstethEthOracle::getWstethEthPrice may operate with zero value, leading to failed transactions or incorrect operations.

Tools Used

VSCode, manual code review

Recommendations

Consider reducing the CHAINLINK_TIMEOUT to align more closely with the Chainlink heartbeat on Ethereum to ensure the price data remains current and accurate.