Summary

Stable prices may be used after the sequence comes back online. If the Sequencer goes down, the protocol will allow users to continue to operate at the previous (stale) rates.

Vulnerability Details

As Patrick mentioned on Discord:

Q: do we have to assume it will be only deployed on Mainnet?

A: Assume it's deployed on any EVM chain

Thus, we can assume this contract will also deployed on L2 like Arbitrum or Optimism.

Based on https://docs.chain.link/data-feeds/l2-sequencer-feeds/ there is a sequencer that executes and rolls up the L2 transactions by batching multiple transactions into a single transaction.

Chainlink recommends that all L2 oracles consult the Sequencer Uptime Feed to ensure that the sequencer is live before trusting the data returned by the oracle.

If the Sequencer goes down, oracle data will not be kept up to date, and thus could become stale. However, users are able to continue to interact with the protocol directly through the L1 contract. You can review Chainlink docs on L2 Sequencer Uptime Feeds for more details on this.

As a result, users may be able to use the protocol while oracle feeds are stale. This could cause all sorts of problems

Impact

users may be able to use the protocol while oracle feeds are stale. This could cause all sorts of problems

Tools Used

Manual analysis

Recommendations

Remediation Steps
Consider reverting if the Sequencer is offline.

See the queue system here:
https://docs.chain.link/data-feeds/l2-sequencer-feeds/

Check the Chainlink Documentation for a full example:
https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code