pashov - WSTETHOracle needs to check for sequencer availability

[sherlock-admin]

pashov

medium

WSTETHOracle needs to check for sequencer availability

Summary

Using Chainlink's Arbitrum price feeds you should always check for sequencer availability

Vulnerability Detail

The wsETH-stETH oracle is only available on Arbitrum. As per Chainlink's documentation, since Arbitrum is an L2 solution, the price feed is loaded by a sequencer. To stay secure, you should always check for sequencer availability, otherwise the data you are using might be stale.

Impact

If sequencer has not been available and the price is not the real one, this can result in undercollateralised positions or mistakenly liquidated ones, both causing a loss to either the protocol or the users.

Code Snippet

https://github.com/sherlock-audit/2022-11-sentiment/blob/main/oracle-merged/src/wsteth/WSTETHOracle.sol#L46

Tool used

Manual Review

Recommendation

Add the same function that you have in ArbiChainlinkOracle.sol to WSTETHOracle.sol
function isSequencerActive() internal view returns (bool) { (, int256 answer, uint256 startedAt,,) = sequencer.latestRoundData(); if (block.timestamp - startedAt <= GRACE_PERIOD_TIME || answer == 1) return false; return true; }
And also add the following check on the first line of getPrice():
if (!isSequencerActive()) revert Errors.L2SequencerUnavailable();

Duplicate of #3