When utilizing Chainlink in L2 chains like Arbitrum, it's important to ensure that the prices provided are not falsely perceived as fresh, even when the sequencer is down. This vulnerability could potentially be exploited by malicious actors to gain an unfair advantage.
https://pasteboard.co/V4gFHOaMuQOz.png
https://discord.com/channels/1127263608246636635/1129041670864916510/1136582556033232917
It was mentioned in the Foundry-defi-stablecoin discord channel that this project will be deployed to any evm-chain. If this project is to be deployed to the Arbitrum network, the staleCheckLatestRoundData() function should be improved and other controls added, for example sequencer is down.
If a sequencer becomes unavailable, it is impossible to access read/write APIs that consumers are using and applications on the L2 network will be down for most users without interacting directly through the L1 optimistic rollup contracts. The L2 has not stopped, but it would be unfair to continue providing service on your applications when only a few users can use them.
there is no check
https://github.com/Cyfrin/2023-07-foundry-defi-stablecoin/blob/d1c5501aa79320ca0aeaa73f47f0dbc88c7b77e2/src/libraries/OracleLib.sol#L7-L38
If the Arbitrum sequencer goes down, the protocol will allow users to continue to operate at the previous (stale) rates.
vscode
It is recommended to follow the code example of Chainlink:
https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code
Same issue in other contests
sherlock-audit/2023-02-bond-judging#1
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.