Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

`LibUniswapOracle` unsafe on L2s in event of Sequencer downtime

holydevoti0n

Summary

The LibUniswapOracle uses the consult() function to query the pool and determine the time-weighted price. This takes in a secondsAgo and observes the price at secondsAgo returning the time-weighted average.

function consult(

address pool,

uint32 secondsAgo

) internal view returns (bool success, int24 arithmeticMeanTick) {

require(secondsAgo != 0, "BP");

uint32[] memory secondsAgos = new uint32[](2);

secondsAgos[0] = secondsAgo;

secondsAgos[1] = 0;

@> try IUniswapV3Pool(pool).observe(secondsAgos) returns ( // @audit no sequencer down check

int56[] memory tickCumulatives,

uint160[] memory

) {

int56 tickCumulativesDelta = tickCumulatives[1] - tickCumulatives[0];

arithmeticMeanTick = SafeCast.toInt24(

int256(tickCumulativesDelta / int56(uint56(secondsAgo)))

);

// Always round to negative infinity

if (tickCumulativesDelta < 0 && (tickCumulativesDelta % int56(uint56(secondsAgo)) != 0))

arithmeticMeanTick--;

success = true;

} catch {}

}

Impact

In the event that an L2's sequencer goes down, the time-weighted price when it comes back online will be the extrapolated previous price.

This will create an opportunity to push through transactions at the old price before it is updated.

Even when the new price is observed, it will be assumed by the sequencer that the previous price held up until the moment it came back online, which will result in a slow, time-weighted adjustment back to the current price.

Reference of a similar issue: https://solodit.xyz/issues/h-01-univ3-oracle-unsafe-on-l2s-in-event-of-sequencer-downtime-zachobront-none-splits-oracle-markdown

Tools Used

Manual Review

Recommendations

(Recommended) - Use the Chainlink Sequencer check before consuming the price from UniV3.
https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code

(Alternative) - Consider using only Chainlink Oracle + Sequencer check for Beanstalk on L2.

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

L2 Sequencer check

Appeal created

holydevoti0n Submitter

12 months ago

golanger85 Auditor

12 months ago

inallhonesty Lead Judge

11 months ago

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

L2 Sequencer check

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.