Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

ETH/USD 1 hour period is too large for Optimism/Base L2 Chains and too small for Arbitrum/Avalanche leading to consuming stale price data.

Uno

Summary

This is not considered Known Issue.

The stale period 1 hours is too large for Optimism and Base chains, leading to consuming stale price data.
On the other hand, that period is too small for Arbitrum and Avalanche chains.

Vulnerability Details

After the Previous Audit (Beanstalk Part 1) The Beanstalk will update CHAINLINK_TIMEOUT to 1 hour instead of 4 hours but its still an issue after
the migration to L2 Chains Optimism/Base/Avalanche/Arbitrum etc..

in previous audit a chainlink oracle Vulnerability was submitted and validated as Medium the bug was:

The LibChainlinkOracle library utilizes a CHAINLINK_TIMEOUT constant set to 14400 seconds (4 hours). This duration is four times longer than the Chainlink heartbeat that is 3600 seconds (1 hour), potentially introducing a significant delay in recognizing stale or outdated price data.

link to previous audit (Beanstalk Part 1):
https://codehawks.cyfrin.io/c/2024-02-Beanstalk-1/results?t=report&lt=contest&sc=reward&sj=reward&page=1

This was on ethereum mainnet but after migration to L2, CHAINLINK_TIMEOUT must be changed to fit the targeted L2.

Beanstalk will migrate to L2 Optimism or Base or Avalanche etc... and these chains has different ETH/USD heartbeats:

On Ethereum, the oracle will update the price data every ~1 hour.
On Optimism, the oracle will update the price data every ~20 minutes.
On Base, the oracle will update the price data every ~20 minutes.
On Arbitrum, the oracle will update the price data every ~24 hours.
On Avalanche, the oracle will update the price data every ~24 hours.

On some chains such as Optimism Base, 1 hour considered too large for the stale period, causing to return stale price data.
And on other chains such as Arbitrum Avalanche 1 hour considered too small.

Impact

A CHAINLINK_TIMEOUT that is significantly longer than the heartbeat can lead to scenarios where the LibChainlinkOracle
library accepts outdated price.

Tools Used

Previous Audits: https://github.com/Cyfrin/2023-07-foundry-defi-stablecoin/issues/961

Recommendations

Consider to set the right heartbeat for the targeted L2.

On Optimism, the oracle will update the price data every ~20 minutes.
On Base, the oracle will update the price data every ~20 minutes.
On Arbitrum, the oracle will update the price data every ~24 hours.
On Avalanche, the oracle will update the price data every ~24 hours.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

Hardcoded Chainlink Heartbeats on L2

Appeal created

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Hardcoded Chainlink Heartbeats on L2

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.