UsdOracle reverts on tokens which are not wstETH, WETH, Bean
Summary
UsdOracle.sol is ecosystem contract which is used to fetch the Usd price of Token. Problem is that it uses library LibUsdOracle.sol
LibUsdOracle.sol is meant to be used in Diamond's Facet because reads storage associated with oracle configuration per token. It reads storage on all tokens which are not wstETH, WETH, Bean. And obviously such straoge read is incorrect because UsdOracle.sol is standalone contract.
Vulnerability Details
UsdOracle.sol has several functions to return Token : USD price by using LibUsdOracle.sol:
LibUsdOracle uses function getTokenPriceFromExternal() on most of the tokens. This function reads storage like it's Diamond's Facet, obviously this function will revert because UsdOracle doesn't store Oracle config per Token:
https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/df2dd129a878d16d4adc75049179ac0029d9a96b/protocol/contracts/libraries/Oracle/LibUsdOracle.sol#L105
Impact
UsdOracle doesn't work with some tokens.
Tools Used
Manual Review
Recommendations
Write custom library to use in UsdOracle.sol
Appeal created
UsdOracle reverts on tokens which are not wstETH, WETH, Bean
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.