Beanstalk: The Finale
Beanstalk
DeFiHardhatFoundry
250,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

`LibUsdOracle` uses an incorrect address for `chainlinkRegistry`.

bladesec

Github link

https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/9c7b9fd521ad7cbe65cc788df181887c0eb39c6d/protocol/contracts/libraries/Oracle/LibUsdOracle.sol#L36

https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/9c7b9fd521ad7cbe65cc788df181887c0eb39c6d/protocol/contracts/libraries/Oracle/LibUsdOracle.sol#L114

https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/9c7b9fd521ad7cbe65cc788df181887c0eb39c6d/protocol/contracts/libraries/Oracle/LibUsdOracle.sol#L149

Summary

LibUsdOracle uses an incorrect address for chainlinkRegistry.

Vulnerability Details

LibUsdOracle uses a constant address for chainlinkRegistry but it's for L1 which doesn't work for L2.

library LibUsdOracle {
using LibRedundantMath256 for uint256;
address constant chainlinkRegistry = 0x47Fb2585D2C56Fe188D0E6ec628a38b74fCeeeDf;

So getTokenPriceFromExternal() may revert while trying to get a feed from a chainlink registry.

Impact

getTokenPriceFromExternal() might revert due to an incorrect chainlinkRegistry on L2.

Tools Used

Manual Review

Recommendations

We should set a proper chainlinkRegistry address for L2.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Chainlink Oracle FeedRegistry only available on L1

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.