Beanstalk: The Finale

Summary

The current implementation of the protocol does not account for minAnswer/maxAnswer checks in the Chainlink oracle system. Chainlink oracles have built-in circuit breakers that keep returning the minimum or maximum price if an asset’s value moves outside a predetermined range. This oversight could allow protocol to be manipulated to handle calls at an inflated price

Vulnerability Details

Chainlink aggregators employ a safety mechanism, known as a circuit breaker, to prevent reporting extreme prices that could be due to anomalies or sudden crashes in asset value. This mechanism ensures that if the price of an asset falls outside a pre-set price band (minAnswer-maxAnswer), the oracle continues to report the boundary value (either minAnswer or maxAnswer) instead of the actual, potentially erroneous, market price.

If the price of an asset drops sharply (like the LUNA crash), the oracle would continue to report the minPrice rather than the actual market price. This scenario was exploited on the Venus protocol on Binance Smart Chain (BSC) during the LUNA crash, where users could borrow excessively by exploiting the wrong oracle price.

Currently the protocol correctly implements the stale price checks but there are no checks for min and max answers from oracle price feeds.

LibChainlinkOracle.sol#L164-L176

Similar Past Issues Judged as Medium Severity:

1. Risk of Incorrect Asset Pricing by StableOracle in Case of Underlying Aggregator Reaching minAnswer

2. ChainlinkAdapterOracle will return the wrong price for asset if underlying aggregator hits minAnswer

3. Missing checks for min and maxAnswer

Impact

In the event of an asset crash (like LUNA), the protocol can be manipulated to handle calls at an inflated price.

Tools Used

VS Code

Recommendations

Add circuit breaker checks in checkForInvalidTimestampOrAnswer as follows: