Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

unRekt - Not checking if a sequencer is down or not in a function to fetch rate from oracle can lead to outdated and unordered data feed #132

Closed
sherlock-admin3 opened this issue Jul 3, 2024 · 1 comment
Closed

unRekt - Not checking if a sequencer is down or not in a function to fetch rate from oracle can lead to outdated and unordered data feed #132

sherlock-admin3 opened this issue Jul 3, 2024 · 1 comment
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout

Comments

@sherlock-admin3
Copy link

sherlock-admin3 commented Jul 3, 2024
edited by sherlock-admin4
Loading

unRekt

Medium

Not checking if a sequencer is down or not in a function to fetch rate from oracle can lead to outdated and unordered data feed

Summary

Not checking the sequencer can lead to stale data feed

Vulnerability Detail

By not checking the sequencer in _getPTRate function of the PendlePTOracle.sol contract,it can lead to fetching of unordered and outdated data feeds, use the _checkSequencer function like its used in other functions of oracle

Similar issue in related to Chainlink sequencer:
sherlock-audit/2022-11-sentiment-judging#3

Impact

Not checking the sequencer can lead to stale data feed

Code Snippet

function _getPTRate() internal view returns (int256) {
        uint256 ptRate = useSyOracleRate ?
            Deployments.PENDLE_ORACLE.getPtToSyRate(pendleMarket, twapDuration) :
            Deployments.PENDLE_ORACLE.getPtToAssetRate(pendleMarket, twapDuration); 
        return ptRate.toInt();
    }

https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/main/leveraged-vaults-private/contracts/oracles/PendlePTOracle.sol#L85-L90

Tool used

Manual Review

Recommendation

Use _checkSequencer in _getPTRate
@github-actions github-actions bot closed this as completed Jul 5, 2024
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Jul 5, 2024
@rcstanciu rcstanciu reopened this Jul 5, 2024
@sherlock-admin2
Copy link
Contributor

1 comment(s) were left on this issue during the judging contest.

0xmystery commented:

On L2, the Chainlink Sequencer oracle is checked and will cause any oracle checks to revert

@sherlock-admin4 sherlock-admin4 changed the title Savory Inky Troll - Not checking if a sequencer is down or not in a function to fetch rate from oracle can lead to outdated and unordered data feed unRekt - Not checking if a sequencer is down or not in a function to fetch rate from oracle can lead to outdated and unordered data feed Jul 11, 2024
@sherlock-admin4 sherlock-admin4 added the Non-Reward This issue will not receive a payout label Jul 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rcstanciu @sherlock-admin2 @sherlock-admin3 @sherlock-admin4