Summary

As discussed with the team behind this project (Patric), this stable coin can be deployed on any EVM chain, and if deployed on L2 ChainLink will not work, as there is no check for a sequencer.

Vulnerability Details

When utilizing Chainlink on L2 chains like ARB or OP, it's important to ensure that the provided prices are not falsely perceived as fresh, even when the sequencer is down. Even ChainLink recommends to check for a sequencer. Without this check price feeds could be wrong.

Example:

• USDC de-pegs after the last update, but sequencer is down, so when ChainLink triggers a forced heartbeat (due to the price moving more than 0.25%, in the span of 1 heartbeat) the update on the feed is not shown on L2's and OracleLib continues to work for the next 2-3 hours, until secondsSince > TIMEOUT becomes true.

Now because the price is not updated liquidations will not be possible too, since they will revert when liquidate calls getTokenAmountFromUsd to check the price of the assets.

Impact

Prices could be perceived as fresh even tho they are not.

Tools Used

Manual review

Recommendations

Use a chainlink oracle to determine whether the sequencer is offline or not.