This repository has been archived by the owner on Dec 31, 2023. It is now read-only.
shogoki - Missing Check for Arbitrum Sequencer #232
Comments
github-actions
bot
added
Medium
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
shogoki
medium
Missing Check for Arbitrum Sequencer
Summary
There is no check if the Arbitrum Sequencer is online, when fetching the Chainlink Oracle
Vulnerability Detail
When Chainlin is used in L2 networks, like Arbitrum, it is required to check if the Sequencer is online. If the sequencer is down, prices may look fresh, altough they arent.
Therefore the getPrice function from the Oracle may return stale prices.
Impact
A malicious user could leverage stale prices when the Sequencer is down.
Code Snippet
https://github.com/sherlock-audit/2023-06-dodo/blob/main/new-dodo-v3/contracts/DODOV3MM/periphery/D3Oracle.sol#L48-L56
Tool used
Manual Review
Recommendation
Implement check for the Sequencer.
An example can be found here:
https://blog.chain.link/how-to-use-chainlink-price-feeds-on-arbitrum/#almost_done!_meet_the_l2_sequencer_health_flag
Duplicate of #62
The text was updated successfully, but these errors were encountered: