Potential for Stale Data Usage in LiquidationPool Contract
Summary
Using Chainlink in L2 chains such as Arbitrum requires to check if the sequencer is down to avoid prices from looking like they are fresh although they are not.
The bug could be leveraged by malicious actors to take advantage of the sequencer downtime.
Vulnerability Details
The distributeAssets function, responsible for allocating liquidated assets to stakeholders, retrieves price data without checking the sequencer's status.
If the Arbitrum sequencer becomes unavailable, the contract could use stale price data, leading to inaccurate asset distributions and potential financial losses.
Impact
Users might operate under incorrect asset prices, leading to unfair outcomes and potential arbitrage opportunities.
Tools Used
Manual Analysis
Recommendations
Follow Chainlink's recommended code example (https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code) to incorporate a sequencer uptime check before fetching price data within the distributeAssets function.
Lead Judging Commences
Arbitrum-sequncer
Chainlink-price
Arbitrum-sequncer
Chainlink-price
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.