Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Hard coded token address will not work on L2

asefewwexa

Line of code

https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/df2dd129a878d16d4adc75049179ac0029d9a96b/protocol/contracts/libraries/Oracle/LibUsdOracle.sol#L76

Summary

Hard coded token address will not work on L2

Vulnerability Details

The addresses for the tokens are hardcoded as constants and will not work when certain functions are called on l2 because the L2 addresses of the corresponding tokens are different.

address internal constant USDC = 0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48;

address internal constant USDT = 0xdAC17F958D2ee523a2206206994597C13D831ec7;

address internal constant WETH = 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2;

address internal constant WSTETH = 0x7f39C581F595B53c5cb19bD0b3f8dA6c935E2Ca0;

address internal constant PIPELINE = 0xb1bE0000C6B3C62749b5F0c92480146452D15423;

As we can see above the hard coded addresses.

and below we can see how they are used in functions as oracles.

protocol/contracts/libraries/Oracle/LibUsdOracle.sol:

54 }

55: if (token == C.WSTETH) {

56 uint256 wstethUsdPrice = LibWstethUsdOracle.getWstethUsdPrice(lookback);

82 }

83: if (token == C.WSTETH) {

84 uint256 wstethUsdPrice = LibWstethUsdOracle.getWstethUsdPrice(0);

protocol/contracts/libraries/Oracle/LibWstethEthOracle.sol:

62 ? LibChainlinkOracle.getPrice(

63 ? LibChainlinkOracle.getPrice(

64: C.WSTETH_ETH_CHAINLINK_PRICE_AGGREGATOR,

64 LibChainlinkOracle.FOUR_DAY_TIMEOUT

65 LibChainlinkOracle.FOUR_DAY_TIMEOUT

66 : LibChainlinkOracle.getTwap(

67 : LibChainlinkOracle.getTwap(

68: C.WSTETH_ETH_CHAINLINK_PRICE_AGGREGATOR,

68 LibChainlinkOracle.FOUR_DAY_TIMEOUT,

69 LibChainlinkOracle.FOUR_DAY_TIMEOUT,

76: uint256 stethPerWsteth = IWsteth(C.WSTETH).stEthPerToken();

82 lookback == 0 ? LibUniswapOracle.FIFTEEN_MINUTES : uint32(lookback),

83 lookback == 0 ? LibUniswapOracle.FIFTEEN_MINUTES : uint32(lookback),

84: C.WSTETH_ETH_UNIV3_01_POOL,

85: C.WSTETH,

85 C.WETH,

86 C.WETH,

Because the token addresses on L2 are different, the functions will not work as intended on L2

Impact

Oracle Functions will be dosed on L2 causing a complete disruption of the protocol on L2

Tools Used

Manual review

Recommendations

Allow the addresses to be changed or initialized on L2, not constant.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

Hardcoded WETH/WSTETH/USDC/USDT won't be the same on L2's

Hardcoded Pipeline address

Appeal created

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Hardcoded WETH/WSTETH/USDC/USDT won't be the same on L2's

Hardcoded Pipeline address

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.