Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No check if Arbitrum L2 sequencer is down in Chainlink feeds #1117

Open
codehawks-bot opened this issue Aug 5, 2023 · 0 comments
Open

No check if Arbitrum L2 sequencer is down in Chainlink feeds #1117

codehawks-bot opened this issue Aug 5, 2023 · 0 comments
Labels
ai-dup-266 ai-dup-271 ai-dup-334 ai-dup-339 ai-dup-471 ai-dup-775 ai-dup-1045 finding-oracle-sequencer medium

Comments

@codehawks-bot
Copy link

No check if Arbitrum L2 sequencer is down in Chainlink feeds

Severity

Medium Risk

Summary

Assuming this contract will be deployed to L2 chains.Using Chainlink in L2 chains such as Arbitrum requires to check if the sequencer is down to avoid prices from looking like they are fresh although they are not.

Vulnerability Details

In OracleLib.sol , there is no check to see if the sequencer is done which will lead to stale prices.

   function staleCheckLatestRoundData(AggregatorV3Interface chainlinkFeed)
        public
        view
        returns (uint80, int256, uint256, uint256, uint80)
    {
        (uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound) =
            chainlinkFeed.latestRoundData();

        if (updatedAt == 0 || answeredInRound < roundId) {
            revert OracleLib__StalePrice();
        }
        uint256 secondsSince = block.timestamp - updatedAt;
        if (secondsSince > TIMEOUT) revert OracleLib__StalePrice();

        return (roundId, answer, startedAt, updatedAt, answeredInRound);
    }

Impact

Users can get better borrows if the price is above the actual price
Users can avoid liquidations if the price is under the actual price

Tools Used

Manual review

Recommendations

It is recommended to follow the code example of Chainlink:
https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ai-dup-266 ai-dup-271 ai-dup-334 ai-dup-339 ai-dup-471 ai-dup-775 ai-dup-1045 finding-oracle-sequencer medium
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hans-cyfrin @codehawks-bot