bitsurfer - No check if L2 sequencer is down in Chainlink feeds

[sherlock-admin]

bitsurfer

medium

No check if L2 sequencer is down in Chainlink feeds

Summary

No check if L2 sequencer is down in Chainlink feeds

Vulnerability Detail

When using Chainlink on Layer 2 (L2) chains like Arbitrum, it is essential to implement a check to determine the status of the sequencer. This validation is crucial to prevent prices from appearing up-to-date when, in reality, they are not due to sequencer downtime. However, the current implementation of the D3Oracle contract lacks this protective measure, leaving it susceptible to potential issues arising from the unavailability of the L2 chain, such as Arbitrum.

File: D3Oracle.sol
48:     function getPrice(address token) public view override returns (uint256) {
49:         require(priceSources[token].isWhitelisted, "INVALID_TOKEN");
50:         AggregatorV3Interface priceFeed = AggregatorV3Interface(priceSources[token].oracle);
51:         (uint80 roundID, int256 price,, uint256 updatedAt, uint80 answeredInRound) = priceFeed.latestRoundData();
52:         require(price > 0, "Chainlink: Incorrect Price");
53:         require(block.timestamp - updatedAt < priceSources[token].heartBeat, "Chainlink: Stale Price");
54:         require(answeredInRound >= roundID, "Chainlink: Stale Price");
55:         return uint256(price) * 10 ** (36 - priceSources[token].priceDecimal - priceSources[token].tokenDecimal);
56:     }

This is a well-known operational issue for protocol running on L2. It is recommended to implement some measures (e.g., a grace period) to mitigate such a risk when the sequencer is offline.

Chainlink provides a solution to address the issue of sequencer availability on Layer 2 (L2) networks through their L2 Sequencer Uptime Feeds. These feeds serve as a valuable resource for protocols operating on L2, enabling them to verify the availability of the sequencer and effectively manage associated risks. By leveraging the capabilities of the L2 Sequencer Uptime Feeds, protocols can ensure that the sequencer is online before relying on its data, thereby enhancing the reliability and integrity of their operations on Layer 2. Chainlink's documentation provides detailed information on how to utilize these feeds and integrate them into L2 protocols for robust risk management. L2 Sequencer Uptime Feeds (https://docs.chain.link/data-feeds/l2-sequencer-feeds)

Impact

If the sequencer goes down, the protocol will allow users to continue to operate at the previous (stale) rates.

Code Snippet

https://github.com/sherlock-audit/2023-06-dodo/blob/main/new-dodo-v3/contracts/DODOV3MM/periphery/D3Oracle.sol#L48-L56

Tool used

Manual Review

Recommendation

It is recommended to follow the code example of Chainlink:
https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code

Duplicate of #62