WhoAmI?
may be auditor

Security blog

Add new post Feed

Auditors space

Dapp Security list Audit Challenges Team formation

Dapps and protocols

Pre-audit plan Audit Profile

Dev Tools

Dev tools Testing tools

Protocol Marketing

Marketing tips

Misc

Support Log In

AuditProfile, Copywright 2025

info@auditprofile.xyz

Privacy Policy

AuditProfile

Block: 86

Timestamp: 12:31:25

AuditProfile

Security blog

Be careful with the Chainlink Heartbeat System!

Did you know that the Chainlink Heartbeat System values vary for different types of tokens? If you use it incorrectly, it can cause a lot of problems for your protocol. This is what happened to the Beanstalk protocol. Have a look at the code snippet:

    function getTokenPriceFromExternal(
        address token,
        uint256 lookback
    ) internal view returns (uint256 tokenPrice) {
        AppStorage storage s = LibAppStorage.diamondStorage();
        Implementation memory oracleImpl = s.sys.oracleImplementation[token];

        // If the encode type is type 1, use the default chainlink implementation instead.
        // `target` refers to the address of the price aggergator implmenation
        if (oracleImpl.encodeType == bytes1(0x01)) {
            // if the address in the oracle implementation is 0, use the chainlink registry to lookup address
            address chainlinkOraclePriceAddress = oracleImpl.target;
            if (chainlinkOraclePriceAddress == address(0)) {
                // use the chainlink registry
                chainlinkOraclePriceAddress = ChainlinkPriceFeedRegistry(chainlinkRegistry).getFeed(
                        token,
                        0x0000000000000000000000000000000000000348
                    ); // 0x0348 is the address for USD
            }

            return
                uint256(1e24).div(
                    LibChainlinkOracle.getTokenPrice(
                        chainlinkOraclePriceAddress,
@>                      LibChainlinkOracle.FOUR_HOUR_TIMEOUT,
                        lookback
                    )
                );
        ...
    }

Chainlink stables have a heart beat of 24 hours i.e if the deviation threshold is not passed for this much time there will be no update to the price, but getTokenPriceFromExternal() hardcodes this limit to 4 hours which leads to price of token = 0 if the token is a stablecoin.

So for tokens with 1 day heartbeat price will be unavailable most of the time: 20 hours a day.

Be careful with the Chainlink Heartbeats! Read the docs and the report here:

Link: https://codehawks.cyfrin.io/c/2024-05-beanstalk-the-finale/s/17

#chainlink

#heartbeat

#price

Connent with me:

Study for free

Cyfrin Updraft

Completely free courses
RareSkills Tutorials

Learn more about the blockchain world
Smart Contract Programmer

Free education videos

Awesome Books

Uniswap V2 Book

by RareSkills
Uniswap V3 Book

by Jeiwan
Compound Book

by RareSkills
ZK Book

by RareSkills
Ethereum Book

by Andreas M. Antonopoulos, Gavin Wood
Beigepaper

by Micah Dameron

Useful tools

EVM diff

Compare execution layer differences between chains
EVM storage

Dive deep into the storage of any contract

#5 Security Snippets: #5

#signature#withdraw

#72 Seaport: integration nuance

#seaport#nft#struct

Регистрация прошла успешно! Спасибо за внимание!

loader