Relevant GitHub Link

https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/main/protocol/contracts/libraries/Oracle/LibChainlinkOracle.sol#L39-L48

Summary

The LibChainlinkOracle library uses a ternary conditional operator incorrectly in the getTokenPrice function, which causes the library to fetch an instantaneous price when a time-weighted average price (TWAP) is required and vice versa.

Vulnerability Details

The LibChainlinkOracle::getTokenPrice function attempts to fetch either an instantaneous price or a TWAP based on the lookback parameter. However, the conditional operator is incorrectly implemented:

Impact

Incorrect TWAP Fetching: Suppose The contract is configured to fetch TWAP with 900 seconds lookback to mitigate the impact of price volatility. However, due to incorrect ternary operator, the library fetches the instantaneous price instead of the desired TWAP. This causes the smart contract to execute based on a single, potentially volatile price point rather than a stable, averaged price, leading to inaccurate execution and losses to the users/platform.

Incorrect Instantaneous Price Fetching: The algorithm sets the lookback parameter to 0 to retrieve the instantaneous price. However, due to the incorrect ternary operator inverts the logic and attempts to fetch a TWAP instead. Since the TWAP calculation involves aggregating data over a period, the algorithm experiences delays and operates on outdated price data, resulting in missed opportunities.

Tools Used

Manual Review

Recommendations

Correct the conditional operator in the getTokenPrice function to: