This repository has been archived by the owner on Nov 5, 2023. It is now read-only.
ctf_sec - Missing checks for whether Arbitrum Sequencer is active #142
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
Medium
A valid Medium severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
Comments
github-actions
bot
added
Medium
This was referenced May 3, 2023
Gornutz
added
Sponsor Confirmed
|
Methodology for calculating prices between L1 and L2 implementations are unexpectedly different. Need more clarification/changes before sign off |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
ctf_sec
medium
Missing checks for whether Arbitrum Sequencer is active
Summary
Missing checks for whether Arbitrum Sequencer is active
Vulnerability Detail
the onchain deployment context is changed, in prev contest the protocol only attemps to deploy the code to ethereum while in the current contest
the protocol intends to deploy to arbtrium as well!
Chainlink recommends that users using price oracles, check whether the Arbitrum sequencer is active
https://docs.chain.link/data-feeds#l2-sequencer-uptime-feeds
If the sequencer goes down, the index oracles may have stale prices, since L2-submitted transactions (i.e. by the aggregating oracles) will not be processed.
Impact
Stale prices, e.g. if USDC were to de-peg while the sequencer is offline, stale price is used and can result in false liquidation or over-borrowing.
Code Snippet
https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/oracle/ChainlinkAdapterOracle.sol#L76-L98
Tool used
Manual Review
Recommendation
Use sequencer oracle to determine whether the sequencer is offline or not, and don't allow orders to be executed while the sequencer is offline.
The text was updated successfully, but these errors were encountered: