Generalized oracle doesn't work on L2
Summary
Beanstalk now introduces a generalized oracle when whitelisting tokens.
There are two problems with the current implementation:
-
1st: Beanstalk will be deployed on L2, but it can only function on Ethereum when using the Chainlink Registry to fetch the price feed. This is because the Chainlink Feed Registry is deployed exclusively on Ethereum: https://docs.chain.link/data-feeds/feed-registry.
-
2nd: A hardcoded timeout is used for all added oracles. However, oracles have different heartbeats, and when comparing L1 and L2, even oracles with the same assets have different heartbeats. I.e:
ETH / USD in Ethereum has a heartbeat of 1 hour / Arbitrum 24 hours / OP 20 minutes.
Reference:
https://data.chain.link/feeds/ethereum/mainnet/eth-usd
https://data.chain.link/feeds/arbitrum/mainnet/eth-usd
https://data.chain.link/feeds/optimism/mainnet/eth-usd
Vulnerability Details
Context: LibUsdOracle -> getTokenPriceFromExternal.
1st: Chainlink Registry is used to fetch price for both: encodeType 0x01 and 0x02:
2nd:
Hardcoded timeout:
Notice there are hardcoded timeouts spreaded in other files like LibEthUsdOracle for instance.
Impact
Generalised Oracles will not work on L2s when price feed registry is used.
Hardcoded timeout creates a high risk of consuming staled price as it will not reflect the Oracle's heartbeat.
Tools Used
Manual Review
Recommendations
Remove the price registry logic and work directly with price feeds when whitelisting tokens.
Introduce a new field i.e. oracleTimeout per oracle and use this one instead of the hardcoded values.
Lead Judging Commences
Chainlink Oracle FeedRegistry only available on L1
Appeal created
Chainlink Oracle FeedRegistry only available on L1
Hardcoded Chainlink Heartbeats on L2
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.