Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Lack of l2 sequencer up check in oracle feed.

asefewwexa

Line of code

https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/df2dd129a878d16d4adc75049179ac0029d9a96b/protocol/contracts/libraries/Oracle/LibChainlinkOracle.sol#L17

Summary

There is no check if the sequencer is online

Vulnerability Details

It is best practice to check that the sequencer is online before doing any calls to an oracle. If no such check is performed this can allow malicious users to have access to stale prices during the sequener downtime and can lead to a loss of funds for the protocol.

Chainlink sequencer feeds can be implemented to ensure the sequencer is online
https://docs.chain.link/data-feeds/l2-sequencer-feeds

Impact

The lack of check that the sequencer is online can lead to the use of stale prices in the protocol then the stale price can be consumed if the sequencer goes offline.

Tools Used

manual review

Recommendations

add sequencer feed to ensure the sequencer is online and we do not accept tx in an offline state.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

L2 Sequencer check

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.