Madalad - Missing check if Chainlink sequencer is down

[sherlock-admin]

Madalad

medium

Missing check if Chainlink sequencer is down

Summary

Call to Chainlink price feed may return inaccurate value on L2 if the sequencer is unavailable.

Vulnerability Detail

When utilizing Chainlink in L2 chains like Arbitrum or Optimism, it's important
to ensure that the prices provided are not falsely perceived as fresh, even
when the sequencer is down. This vulnerability could potentially be exploited
by malicious actors to gain an unfair advantage.

See Chainlink's docs
for more information.

Impact

Valuing assets incorrectly can lead to unexpected behaviour such as undercollateralization or unfair liquidations.

Code Snippet

File: root\contracts\attribute\Kept.sol

59:     /// @notice Returns the price of ETH in terms of the keeper token
60:     /// @return The price of ETH in terms of the keeper token
61:     function _etherPrice() private view returns (UFixed18) {
62:         (, int256 answer, , ,) = ethTokenOracleFeed().latestRoundData();
63:         return UFixed18Lib.from(Fixed18Lib.ratio(answer, 1e8)); // chainlink eth-usd feed uses 8 decimals
64:     }

https://github.com/sherlock-audit/2023-07-perennial/blob/main/root/contracts/attribute/Kept.sol#L62

Tool used

Manual Review

Recommendation

Implement a sequencer uptime check if the contract is deployed to an L2, as shown here.

Duplicate of #146

[sherlock-admin]

2 comment(s) were left on this issue during the judging contest.

141345 commented:

d

n33k commented:

unhandled stale price returned from latestRoundData()