The Standard

Summary

Given that the contract may be deployed on many EVM chain (as the sponsor said, I quote: "no plans to do so any time soon, but it is possible"), when utilizing Chainlink in L2 chains like Arbitrum, it's important to ensure that the prices provided are not falsely perceived as fresh particularly in scenarios where the sequencer might be non-operational. Hence, a critical step involves confirming the active status of the sequencer before trusting the data returned by the oracle.

Vulnerability Details

In the event of an Arbitrum Sequencer outage, the oracle data may become outdated, potentially leading to staleness. It does not check if Arbirtrum Sequencer is active. You can review Chainlink docs on L2 Sequencer Uptime Feeds for more details on this. https://docs.chain.link/data-feeds/l2-sequencer-feeds

Impact

In the scenario where the Arbitrum sequencer experiences an outage, the protocol will enable users to maintain their operations based on the previous (stale) rates.

Tools Used

Manual Review

Recommendations

There is a code example on Chainlink docs for this scenario: https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code. You can add this function in LiquidatioPool and use it in LiquidationPool::distributeAssets For illustrative purposes this can be:

function isSequencerAlive() internal view returns (bool) {
  (, int256 answer, uint256 startedAt,,) = sequencer.latestRoundData();
  if (block.timestamp - startedAt <= GRACE_PERIOD_TIME || answer == 1)
    return false;
  return true;
}

function distributeAssets(ILiquidationPoolManager.Asset[] memory _assets, uint256 _collateralRate, uint256 _hundredPC) external payable {
    consolidatePendingStakes();
    require(isSequencerAlive(), "Sequencer is down");
    (,int256 priceEurUsd,,,) = Chainlink.AggregatorV3Interface(eurUsd).latestRoundData();