Summary

The current implementation of OracleLib is not considering a possible deployment on L2. Without the needed checks, the oracle could return a price without revert even when the price is stale.

Vulnerability Details

If the project will be deployed on L2 networks (Arbitrum, Optimism, and Metis) the checks done inside staleCheckLatestRoundData are not enough and the oracle could end up returning a stale price.

In this scenario, when the protocol returns a stale price, the following side effects could happen:

• a user could be liquidated when in reality the real HF is > 1

• a user that should be liquidated won't be liquidated

• a user will be able to borrow more than it should

• a user will not be able to borrow

• a user will not be able to withdraw funds

• a user will be able to withdraw funds when it should not be able to do so

• ...

Impact

If the sequencer is down, the protocol could end up using a stale price.

Tools Used

Manual

Recommendations

The OracleLib library contract should be updated to handle the verification of the uptime of the L2 Sequencer.

1. Add support to the Sequencer Uptime Feed object

2. Verify that the sequencer is up, otherwise revert

3. If the sequencer is up, verify that the grace period has passed

4. Update the TIMEOUT and GRACE_PERIOD_TIME values based on the deployment chain and the Date Feed configuration.

The client can check out the official ChainLink L2 Sequencer Feed documentation for a basic code example.