This repository has been archived by the owner on Nov 12, 2023. It is now read-only.
GalloDaSballo - No check for Arbitrum Sequencer being down means stale prices may be accepted #421
Labels
Non-Reward
This issue will not receive a payout
Comments
github-actions
bot
added
Medium
sherlock-admin
added
Non-Reward
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
GalloDaSballo
medium
No check for Arbitrum Sequencer being down means stale prices may be accepted
Summary
Because of how Arbitrum Enqueues TXs while the sequencer is down, TXs with an older timestamp may be accepted, allowing the usage of stale prices
Vulnerability Detail
In lack of checks, the transaction will be queued, resulting in the ability to use older prices as the timestamp from L1 will be the one of the original submission and not the one of the time of processing.
This is because Arbitrum will enqueue the TX and store the original Timestamp from L1 at the time of original submission and not processing
Impact
Stable prices may be used after the sequence comes back online
Code Snippet
https://github.com/sherlock-audit/2023-04-jojo/blob/main/smart-contract-EVM/contracts/adaptor/chainlinkAdaptor.sol#L43-L55
Tool used
Manual Review
Recommendation
https://docs.chain.link/data-feeds/l2-sequencer-feeds#arbitrum
See the queue system here:
https://docs.chain.link/data-feeds/l2-sequencer-feeds/
Remediation Steps
Consider reverting if the Sequencer is offline.
Check the Chainlink Documentation for a full example:
https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code
Duplicate of #101
The text was updated successfully, but these errors were encountered: