Foundry DeFi Stablecoin CodeHawks Audit Contest
Cyfrin
DeFiFoundry
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Missing L2 sequencer availability check

alexczm

Summary

When protocol is deployed to L2 chains, additional sequencer status check is required before consuming any oracle data to avoid false liquidations or over-minting DSC stablecoin.

Vulnerability Details

As stated in discord channel, protocol is assumed to be deployable to any EVM chain.
When deployed to optimistic L2 chains, OracleLib.staleCheckLatestRoundData() doesn't check if L2 sequencer is active or not.
If the L2 sequencer goes offline, it might result in an invalid or outdated price returned by the oracle.

function staleCheckLatestRoundData(AggregatorV3Interface priceFeed)
public
view
returns (uint80, int256, uint256, uint256, uint80)
{
(uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound) =
priceFeed.latestRoundData();
uint256 secondsSince = block.timestamp - updatedAt;
if (secondsSince > TIMEOUT) revert OracleLib__StalePrice();
return (roundId, answer, startedAt, updatedAt, answeredInRound);
}

https://github.com/Cyfrin/2023-07-foundry-defi-stablecoin/blob/d1c5501aa79320ca0aeaa73f47f0dbc88c7b77e2/src/libraries/OracleLib.sol#L21-L33

Impact

Invalid/stale price if sequencer isn't online.

Tools Used

Manual review.

Recommendations

It is recommended to follow the code example of Chainlink:
https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.