In `_getChainlinkResponse()` there is no check if the Sequenzer for L2s is up when calling the oralce
Summary
Price from oracle on L2s can be invalid/stale if the sequencer is down. This could lead to users being able to claim tokens that they should not be able to claim.
Vulnerability Details
If the sequencer of the L2s were to go offline the Chainlink oracle may return an invalid/stale
price. This could lead to users being able to claim tokens that they should not be able to claim.
For example, if the last reference price recorded by the oracle was above the final tier price, this would have unlocked all tokens to be claimable. If the sequencer goes and in the meantime down the reference price falls below the final tier price , the oracle would still return the high price even though the price is lower now and not all tokens should be claimable.
It should always be checked if the sequencer is up before consuming any data from Chainlink. For more details on L2 Sequencer Uptime Feeds check the Chainlink docs(https://docs.chain.link/data-feeds/l2-sequencer-feeds) specify more details.
Impact
Receivers can claim tokens they should not be able to claim
Tools Used
Recommendations
Include a check if the sequencer is up
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.