When utilizing Chainlink in L2 chains like Arbitrum, it's important to ensure that the prices provided are not falsely perceived as fresh, even when the sequencer is down. This vulnerability could potentially be exploited by malicious actors to gain an unfair advantage.
The library function for getting asset's price looks like this :
But there is no checks regarding the scenario if L2 squencer is not active . It will lead to scenario when false price may get fetched .
Similar findings
False price may get fetched which will lead malicious users to gain an advantage .
Manual review .
Here's an code example from chainlink to mitigate the issue
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.