This repository has been archived by the owner on Nov 12, 2023. It is now read-only.
0xGoodess - ChainlinkExpandAdaptor does not check whether L2 sequencer is up #9
Labels
Non-Reward
This issue will not receive a payout
Comments
github-actions
bot
added
Medium
sherlock-admin
added
Non-Reward
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
0xGoodess
medium
ChainlinkExpandAdaptor does not check whether L2 sequencer is up
Summary
ChainlinkExpandAdaptor does not check whether L2 sequencer is up.
Vulnerability Detail
Since Arbitrium has its own sequencer; block.timestamp only reflects the L1 timestamp on ethereum. It's possible that block.timestamp is delayed since Arbitrium only finalized on L1 every 40mins, potentially using old price from pricefeed in oracle.
Impact
Using old price from pricefeed in oracle due to unchecked timestamp difference esp when sequencer is down.
Code Snippet
https://github.com/sherlock-audit/2023-04-jojo/blob/main/smart-contract-EVM/contracts/adaptor/chainlinkAdaptor.sol#L49
Tool used
Manual Review
Recommendation
Use sequencer uptime check by using a chainlink oracle
https://docs.chain.link/data-feeds/l2-sequencer-feeds#handling-arbitrum-outages
Duplicate of #101
The text was updated successfully, but these errors were encountered: