The getWstethUsdPrice() function is being called without using the lookback parameter if it's the WSTETH token. The function uses a constant value of 0 for the lookback parameter when calling LibWstethUsdOracle.getWstethUsdPrice(). So it always returns the current spot price for wstETH.

Vulnerability Details

    function getTokenPrice(address token, uint256 lookback) internal view returns (uint256) {
         if (token == C.WETH) {
            uint256 ethUsdPrice = LibEthUsdOracle.getEthUsdPrice(lookback);
            if (ethUsdPrice == 0) return 0;
            return ethUsdPrice;
        }
        if (token == C.WSTETH) {
            uint256 wstethUsdPrice = LibWstethUsdOracle.getWstethUsdPrice(0); // @audit missing lookback?
            if (wstethUsdPrice == 0) return 0;
            return wstethUsdPrice;
        }
        revert("Oracle: Token not supported.");
    }

Impact

It's always returning the current price instead of TWAP for wstETH. This could lead to inaccurate calculations in calling this getTokenPrice for wstETH.

Tools Used

Manual review

Recommendations

It's recommended to use the lookback parameter instead of 0. uint256 wstethUsdPrice = LibWstethUsdOracle.getWstethUsdPrice(lookback);