Lack of L2 Sequencer availability check.
Summary
The protocol heavily relies on the accuracy of the Chainlink price oracles in the asset distribution section of LiquidationPool.sol. Chainlink’s documentation recommends checking the if L2 sequencer to mitigate the usage of stale prices.
Vulnerability Details
If the Arbitrum Sequencer goes down, oracle data will not be kept up to date, and thus could become stale. However, users are able to continue to interact with the protocol directly through the L1 optimistic rollup contract.
As a result, users may be able to use the protocol while oracle feeds are stale. This will cause problems because malicious users will check the result of LiquidationPool::distributeAssets function and call it when the difference in price (stale L2 vs actual L1) heavily favors them getting more rewards.
Impact
If the sequencer goes down, the protocol will allow users to continue to operate at the previous (stale) rates and this can be leveraged by malicious actors to gain unfair advantage.
Tools Used
Manual review
Recommendations
Check sequencer uptime before consuming any price data.
The way this check is performed can be found here.
Lead Judging Commences
Arbitrum-sequncer
Arbitrum-sequncer
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.