The Standard

Summary

Using Chainlink in L2 chains such as Arbitrum requires to check if the sequencer is down to avoid prices from looking like they are fresh although they are not.

The bug could be leveraged by malicious actors to take advantage of the sequencer downtime.

Additionally, Consider we have deployed The Standard protocol on Arbitrum L2, and its sequencer goes down. When the sequencer comes back online and oracles update their prices, all price movements that occurred during downtime are applied at once. If these movements are significant, they may cause chaos. Borrowers would rush to save their positions, while liquidators would rush to liquidate borrowers. Since liquidations are handled mainly by bots, borrowers are likely to suffer mass liquidations.

This is unfair to borrowers, as they could not act on their positions even if they wanted to due to the L2 downtime.

Vulnerability Details

In PriceCalculator::tokenToEurAvg, PriceCalculator::avgPrice, PriceCalculator::tokenToEur, PriceCalculator::eurToToken, there is no check that the sequencer is down.

Impact

The impact depends on the usage of the price info.
when it is used as part of the collateral for lenders:

• Users can get better borrows if the price is above the actual price

• Users can avoid liquidations if the price is under the actual price

Tools Used

Manual review

Recommendations

It is recommended to follow the code example of Chainlink:
https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code
It would be ideal if the protocol gives borrowers a grace period once the sequencer returns but if a position is heavily undercollateralized, liquidations are allowed even if the protocol is under a grace period.