Submission Details
Severity:
check the latest answer from the L2 Sequencer Uptime Feed to ensure that the data is accurate in the event of an L2 sequencer outage
Summary
If you are using Chainlink Data Feeds on L2 networks like Arbitrum, Optimism, and Metis, you must also check the latest answer from the L2 Sequencer Uptime Feed to ensure that the data is accurate in the event of an L2 sequencer outage
Vulnerability Details
OracleLib.sol not check the latest answer from the L2 Sequencer Uptime Feed
Impact
If Chainlink returns old or zero data, the user's collateral will be liquidated prematurely
Tools Used
manual
Recommendations
function staleCheckLatestRoundData(AggregatorV3Interface priceFeed)
public
view
returns (uint80, int256, uint256, uint256, uint80)
{
+ if(block.chainid == 0xa4b1 || block.chainid == 0xa ||block.chainid == 0x440) {
+ (
+ /*uint80 roundID*/,
+ int256 answer,
+ uint256 startedAt,
+ /*uint256 updatedAt*/,
+ /*uint80 answeredInRound*/
+ ) = sequencerUptimeFeed.latestRoundData();
+ // Answer == 0: Sequencer is up
+ // Answer == 1: Sequencer is down
+ bool isSequencerUp = answer == 0;
+ if (!isSequencerUp) {
+ revert SequencerDown();
+ }
+ }
(uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound) =
priceFeed.latestRoundData();
uint256 secondsSince = block.timestamp - updatedAt;
if (secondsSince > TIMEOUT) revert OracleLib__StalePrice();
+ if(roundId<answeredInRound) revert OracleLib__StalePrice();
+ if(answer<=0) revert OracleLib__StalePrice();
return (roundId, answer, startedAt, updatedAt, answeredInRound);
}
Prize pool breakdown
Total prize
15,000 USDC
nSLOC
23664 USDC / LOC
14,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.