This repository has been archived by the owner on Nov 12, 2023. It is now read-only.
p0wd3r - Oracle is not checking for sequencer uptime #53
Labels
Non-Reward
This issue will not receive a payout
Comments
github-actions
bot
added
Medium
sherlock-admin
added
Non-Reward
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
p0wd3r
medium
Oracle is not checking for sequencer uptime
Summary
The Arbitrum Sequencer can allow tx to be queued while the L2 is offline, these will pass the freshness check but use outdated prices.
Although the project team stated in the documentation that Chainlink's failure is acceptable, I believe this situation is different because it makes the system unfair. Attackers can use non-real-time prices for trading while most normal users cannot trade properly.
Vulnerability Detail
Because of how Arbitrum works, if the L2 goes offline, tx can still be sent via the Delayed inbox on L1.
This could allow the creation of orders which use prices from when the Sequencer was down, which would still pass the freshness check, but may be incorrect or outdated.
If Chainlink failure results in the same impact on all users, then I think it is acceptable. However, the project team needs to avoid situations that create unfairness.
Impact
Attackers can use non-real-time prices for trading while most normal users cannot trade properly.
Code Snippet
https://github.com/JOJOexchange/smart-contract-EVM/blob/main/contracts/adaptor/chainlinkAdaptor.sol#L46
https://github.com/JOJOexchange/JUSDV1/blob/011e10d36257a404c8c1d7d2b8c9f01a2b7a1969/src/oracle/JOJOOracleAdaptor.sol
Tool used
Manual Review
Recommendation
Chainlink provides a solution: https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code
Duplicate of #101
The text was updated successfully, but these errors were encountered: