The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Missing checks for whether Arbitrum Sequencer is active

0xasen

Summary

When utilizing Chainlink in L2 chains like Arbitrum, it's important to ensure that the prices provided are not falsely perceived as fresh, even when the sequencer is down.

Chainlink recommends that users using price oracles, check whether the Arbitrum Sequencer is active.

Vulnerability Details

The project will be deployed on Arbitrum. However, there is no check if the Arbitrum Sequencer is active. The sequencer being down has happened in the past - Arbitrum sequencer suffers 10 hours outage.

The required check to make sure the sequencer is active is not present in the code:

(,int256 priceEurUsd,,,) = Chainlink.AggregatorV3Interface(eurUsd).latestRoundData();
(,int256 assetPriceUsd,,,) = Chainlink.AggregatorV3Interface(asset.token.clAddr).latestRoundData();

Impact

In the case of an Arbitrum outage, a malicious actor can exploit the protocol.

Tools Used

Manual review

Recommendations

Implement a method to check if the sequencer is down. Follow the Chainlink docs for dealing with EVM chains: https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Arbitrum-sequncer

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

Arbitrum-sequncer

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.