0xrobsol - Offline sequencer can potentially cause stale and outdated price. (Medium)

[sherlock-admin]

0xrobsol

false

Offline sequencer can potentially cause stale and outdated price. (Medium)

Summary

Offline sequencer can potentially cause stale and outdated price.

Vulnerability Detail

The getMarkPrice() receives price updates from an oracle. But the protocol is deployed on a L2 which relies on a sequencer. A sequencer is responsible for ordering transactions before they're finalized on the blockchain. If the sequencer is offline there is a potential impact for stale and outdated price.

Impact

This impact could be huge because the protocol depends on price updates, for example calculating users totalexposure, liquidation etc. and wrong price points can cause wrong payouts and opportunities for a third party to expose.

Code Snippet

function getMarkPrice() external view returns (uint256 price) { int256 rawPrice; uint256 updatedAt; /*@audit-issue OBS! Because JoJo finance is on a L2 "Arbitrum" the sequcence can end upp offline which can stale the oracle prices ---> https://twitter.com/bytes032/status/1653943092427325448 */ (, rawPrice, , updatedAt, ) = IChainlink(chainlink).latestRoundData(); (, int256 USDCPrice,, uint256 USDCUpdatedAt,) = IChainlink(USDCSource).latestRoundData(); require( block.timestamp - updatedAt <= heartbeatInterval, "ORACLE_HEARTBEAT_FAILED" ); require(block.timestamp - USDCUpdatedAt <= heartbeatInterval, "USDC_ORACLE_HEARTBEAT_FAILED"); uint256 tokenPrice = (SafeCast.toUint256(rawPrice) * 1e8) / SafeCast.toUint256(USDCPrice); return tokenPrice * 1e18 / decimalsCorrection; }

Tool used

Visual studio.

Manual Review

Recommendation

A solution could be too implement a Chainlinks L2 sequencer sptime feed. And if the state is false then revert the price update because of the sequencer being down.

Duplicate of #101