15,000 USDC
View results
Submission Details
Severity: medium
Valid

No check if Arbitrum L2 sequencer is down in Chainlink feeds

Summary

The protocol intends to be used on any EVM compatible chains, which includes L2 such as Arbitrum or Optimism.

function staleCheckLatestRoundData(AggregatorV3Interface priceFeed)
public
view
returns (uint80, int256, uint256, uint256, uint80)
{
(uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound) =
priceFeed.latestRoundData();
uint256 secondsSince = block.timestamp - updatedAt;
if (secondsSince > TIMEOUT) revert OracleLib__StalePrice();
return (roundId, answer, startedAt, updatedAt, answeredInRound);
}

Using Chainlink in L2 chains such as Arbitrum requires to check if the sequencer is down to avoid prices from looking like they are fresh although they are not.

The bug could be leveraged by malicious actors to take advantage of the sequencer downtime.

Vulnerability Details

The protocol uses Chainlink's AggregatorV3Interface, but does not check the sequencer is down

function staleCheckLatestRoundData(AggregatorV3Interface priceFeed)
public
view
returns (uint80, int256, uint256, uint256, uint80)
{
(uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound) =
priceFeed.latestRoundData();
uint256 secondsSince = block.timestamp - updatedAt;
if (secondsSince > TIMEOUT) revert OracleLib__StalePrice();
return (roundId, answer, startedAt, updatedAt, answeredInRound);
}

Impact

If a user recreates this contract on an L2, it may result in certain issues if the sequencer is indeed down, for example,

  • Users can get better borrows if the price is above the actual price

  • Users can avoid liquidations if the price is under the actual price

Tools Used

Manual Review

Recommendations

It is recommended to follow the code example of Chainlink: https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code.

Either add the sequencer check to the Chainlink Aggregator Feed, or move the responsibility to the open source developers and state extremely clearly that this code is only meant for the Ethereum network.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.