Beanstalk: The Finale
Beanstalk
DeFiHardhatFoundry
250,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Chainlink getRoundData return value should check timestamp

kwakudr

Summary

The round corresponding to the acquired roundID may not be completed and the data is incomplete. You need to check the timestamp of the returned value is greater than 0.

Vulnerability Details

function getRoundData(
IChainlinkAggregator priceAggregator,
uint80 roundId
) private view returns (int256, uint256) {
try priceAggregator.getRoundData(roundId) returns (
uint80 /* roundId */,
int256 _answer,
uint256 /* startedAt */,
uint256 _timestamp,
uint80 /* answeredInRound */
) {
return (_answer, _timestamp);
} catch {
return (-1, 0);
}
}

https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/4e0ad0b964f74a1b4880114f4dd5b339bc69cd3e/protocol/contracts/libraries/Oracle/LibChainlinkOracle.sol#L165C5-L180C6

According to Chainlink docs:

A read can revert if the caller is requesting the details of a round that was invalid or has not yet been answered. If you are deriving a round ID without having observed it before, the round might not be complete. To check the round, validate that the timestamp on that round is not 0. In a best-case scenario, rounds update chronologically. However, a round can time out if it doesn't reach consensus. Technically, that is a timed out round that carries over the answer from the previous round.

Getting Historical Data | Chainlink Documentation

Impact

Oracle round not completed, data error

Tools Used

Manual Review

Recommendations

Include the UpdatedAt values in the return statement.

See official example

Getting Historical Data | Chainlink Documentation

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.