`C.sol` is completely incompatible on the L2 chain Beastalk is going to be deployed on
Summary
C.sol is incompatible with the L2 chain where Beanstalk is set to deploy, due to the use of Ethereum mainnet-specific Chainlink price feed addresses.
Vulnerability Details
Take a look at https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/8c8710df547f7d7c5dd82c5381eb6b34532e4484/protocol/contracts/C.sol#L79-L85
These are all the Chainlink price feeds that protocol uses to query prices for other core functionalities, however going to the official site for feeds from Chainlink here: https://docs.chain.link/data-feeds/price-feeds/addresses?network=arbitrum&page=1&search=0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419 we can see that these addresses are only right on the Ethereum mainnet and would not work on the L2 protocol plans to deploy to.
Impact
DOS to core functionalities of C.sol where Chainlink needs to get queried, considering these attempts would revert considering the addresses are not Chainlink providers on these chains
Tools Used
Manual review
Recommendations
Consider passing the addresses via a constructor and then they should match with the addresses that protocol is going ton get deployed on.
Lead Judging Commences
Hardcoded Chainlink Heartbeats on L2
Appeal created
Hardcoded Chainlink Heartbeats on L2
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.