Skip to content
This repository has been archived by the owner on Nov 12, 2023. It is now read-only.

ast3ros - Chainlink Adaptor does not check Sequencer Uptime #361

Closed
sherlock-admin opened this issue May 10, 2023 · 0 comments
Closed

ast3ros - Chainlink Adaptor does not check Sequencer Uptime #361

sherlock-admin opened this issue May 10, 2023 · 0 comments
Labels
Non-Reward This issue will not receive a payout

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented May 10, 2023
edited by github-actions bot
Loading

ast3ros

medium

Chainlink Adaptor does not check Sequencer Uptime

Summary

Borrowers and perpetual positions may face liquidations when the Sequencer is down if the Chainlink Adaptor does not check the Sequencer Uptime Feed and have a Grace Period.

Vulnerability Detail

On L2 platforms like Arbitrum, developers need to check the Sequencer Uptime when using Oracle Price Feeds. However, the chainlinkAdaptor contract does not implement the L2 Sequencer Uptime Feed and Grace Period.

    (, rawPrice, , updatedAt, ) = IChainlink(chainlink).latestRoundData();
    (, int256 USDCPrice,, uint256 USDCUpdatedAt,) = IChainlink(USDCSource).latestRoundData();

https://github.com/sherlock-audit/2023-04-jojo/blob/main/smart-contract-EVM/contracts/adaptor/chainlinkAdaptor.sol#L46

This is very risky and can have negative consequences for borrowers in JUSD and traders in JOJO system, as their calculations depend heavily on the Oracle. There may be mass liquidations when the Sequencer resumes. For more details, please refer to this article.

    Consider you have deployed a lending protocol on L2, and its sequencer goes down. This has happened in the past and may happen in the future. When the sequencer comes back online and oracles update their prices, all price movements that occurred during downtime are applied at once. If these movements are significant, they may cause chaos. Borrowers would rush to save their positions, while liquidators would rush to liquidate borrowers. Since liquidations are handled mainly by bots, borrowers are likely to suffer mass liquidations.

https://0xmacro.com/blog/how-to-consume-chainlink-price-feeds-safely/ - Chainlink L2 Sequencer Uptime Feed and Grace Period

Impact

Borrowers and traders may suffer losses or unfair gains due to significant price movements when the Sequencer comes back online.

Code Snippet

https://github.com/sherlock-audit/2023-04-jojo/blob/main/smart-contract-EVM/contracts/adaptor/chainlinkAdaptor.sol#L43-L55
https://github.com/sherlock-audit/2023-04-jojo/blob/main/JUSDV1/src/oracle/JOJOOracleAdaptor.sol#L26-L35

Tool used

Manual Review

Recommendation

Implement a check for L2 Sequencer Uptime and GRACE_PERIOD_TIME before getting the price from PriceFeed. For example:

https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code

Duplicate of #101
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels May 17, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label May 30, 2023
@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Reward A payout will be made for this issue labels Jun 19, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin