Oracle adapters doesn't check L2 Sequencer
Summary
Chainlink recommends that all Optimistic L2 oracles consult the Sequencer Uptime Feed to ensure that the sequencer is live before trusting the data returned by the oracle. This check is absent in current oracle adapters.
Beanstalk will be redeployed on L2, so this concern becomes valid. Despite the fact that the L2 network is still unknown most probably team is interested in potential issues with different L2s such as Arbitrum.
Vulnerability Details
Chainlink recommends that users using price oracles, check whether the Arbitrum sequencer is active
https://docs.chain.link/data-feeds#l2-sequencer-uptime-feeds
If the sequencer goes down, the index oracles may have stale prices, since L2-submitted transactions (i.e. by the aggregating oracles) will not be processed.
Impact
Stale prices, e.g. if USDC were to de-peg while the sequencer is offline, stale price is used.
Tools Used
Manual Review
Recommendations
Use sequencer oracle to determine whether the sequencer is offline or not, and don't allow orders to be executed while the sequencer is offline.
Lead Judging Commences
L2 Sequencer check
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.