Beanstalk: The Finale
Beanstalk
DeFiHardhatFoundry
250,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

The 4 hours timeout for the chainlink oracle is too long and will lead to stale prices

asefewwexa

Line of code

https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/df2dd129a878d16d4adc75049179ac0029d9a96b/protocol/contracts/libraries/Oracle/LibUsdOracle.sol#L157

Summary

The timeout for the chainlink oracle is too long and will lead to stale prices

Vulnerability Details

The timeout for chainlink response is currently set to 4 hours. This means the oracle will accept prices and answers that are up to 4 hours old. This means that the oracle will receive data that is vastly outdated.

uint256 chainlinkTokenPrice = LibChainlinkOracle.getTokenPrice(
chainlinkOraclePriceAddress,
LibChainlinkOracle.FOUR_HOUR_TIMEOUT,
lookback
);

In a volatile market or time period this can affect the system greatly. It is important to ensure the timeout is not to long but also not too short that will cause a potential dos. The sweet spot is around 1 hour but depends on the chainlink heartbeat of each individual asset.

For example the heartbeat of eth/usd is 3600 seconds or 1 hour.

https://docs.chain.link/data-feeds/price-feeds/addresses?network=ethereum&page=1&search=0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419

Impact

stale and outdated prices may be used by the oracle which will lead to the use of incorrect pricing of assets in the protocol

Tools Used

manual review

Recommendations

reduce the timeout duration to 1 hour or even 15 minutes to ensure that the price returned is not too stale.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

Known - Bean Part 1

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.