The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

No check if Arbitrum L2 sequencer is active

NentoR

Summary

LiquidationPool makes use of Chainlink's data feeds but does not ensure the Arbitrum L2 sequencer is up. This leads to the possibility of users interacting with stale prices.

Vulnerability Details

LiquidationPool uses Chainlink's data feeds to provide LiquidationPool::distributeAssets() with reliable price data on all accepted tokens. However, there's a lack of check whether the Arbitrum L2 sequencer is down. If it goes down, the prices returned will be stale.

L207:

(,int256 priceEurUsd,,,) = Chainlink.AggregatorV3Interface(eurUsd).latestRoundData();

L218:

(,int256 assetPriceUsd,,,) = Chainlink.AggregatorV3Interface(asset.token.clAddr).latestRoundData();

This is also present in the PriceCalculator contract and will lead to similar issues wherever its functions are used. While that one is out of scope for this contest, I believe it is still worth mentioning.

Impact

  • Wrongly updated EUROs positions of all stakers

  • Wrong amount of EUROs being burned from the contract

  • Wrong reward distribution

Tools Used

Manual Analysis

Recommendations

Implement the following code example from the official Chainlink docs: https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Arbitrum-sequncer

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

Arbitrum-sequncer

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.