The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

No check if Arbitrum L2 sequencer is down in Chainlink feeds

mahdirostami

Summary

The LiquidationPool::distributeAssets function uses Chainlink.AggregatorV3Interface as a price oracle for Chainlink feeds in Arbitrum L2. However, it lacks a check to determine if the Arbitrum L2 sequencer is down. This check is crucial to ensure that prices do not appear to be fresh when the sequencer is unavailable.

Vulnerability Details

The absence of a check for the Arbitrum L2 sequencer being down in the LiquidationPool::distributeAssets function could lead to inaccurate asset distribution. Prices retrieved from Chainlink feeds may not reflect the actual market conditions if the sequencer is down.

function distributeAssets(ILiquidationPoolManager.Asset[] memory _assets, uint256 _collateralRate, uint256 _hundredPC) external payable {

consolidatePendingStakes();

(,int256 priceEurUsd,,,) = Chainlink.AggregatorV3Interface(eurUsd).latestRoundData(); //@audit arbitrum

uint256 stakeTotal = getStakeTotal();

uint256 burnEuros;

uint256 nativePurchased;

for (uint256 j = 0; j < holders.length; j++) {

Position memory _position = positions[holders[j]];

uint256 _positionStake = stake(_position);

if (_positionStake > 0) {

for (uint256 i = 0; i < _assets.length; i++) {

ILiquidationPoolManager.Asset memory asset = _assets[i];

if (asset.amount > 0) {

(,int256 assetPriceUsd,,,) = Chainlink.AggregatorV3Interface(asset.token.clAddr).latestRoundData(); //@audit arbitrum

Impact

The vulnerability could result in incorrect asset distribution within the LiquidationPool::distributeAssets function when using Chainlink feeds on Arbitrum L2.

Tools Used

Manual Review

Recommendation

It is recommended to implement a check for the Arbitrum L2 sequencer status before fetching prices from Chainlink feeds. The example code provided by Chainlink documentation for L2 sequencer feeds can be referenced for guidance: Chainlink L2 Sequencer Feeds Example Code. This modification will ensure that the system only relies on Chainlink prices when the sequencer is operational, preventing inaccurate asset distribution.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Arbitrum-sequncer

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

Arbitrum-sequncer

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.