Beanstalk: The Finale
Beanstalk
DeFiHardhatFoundry
250,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

No check if L2 sequencer is down in Chainlink feeds

zhuying

Summary

Using Chainlink in L2 chains such as Arbitrum and Optimistic requires to check if the sequencer is down to avoid prices from looking like they are fresh although they are not.

Vulnerability Details

Sponsors confirm in discord:

anything hardcoded in that relies on assumptions specific to eth mainnet would also be valid, regardless of L2. things like block time, gas costs, fee based ordering of transactions, available opcodes, etc

try priceAggregator.latestRoundData() returns (
uint80 roundId,
int256 answer,
uint256 /* startedAt */,
uint256 timestamp,
uint80 /* answeredInRound */
) {
// Check for an invalid roundId that is 0
if (roundId == 0) return 0;
if (checkForInvalidTimestampOrAnswer(timestamp, answer, block.timestamp, maxTimeout)) {
return 0;
}
// Adjust to 6 decimal precision.
return uint256(answer).mul(PRECISION).div(10 ** decimals);
} catch {
// If call to Chainlink aggregator reverts, return a price of 0 indicating failure
return 0;
}

LibChainlinkOrcale.sol shows the chainink price feeds are used to fetch ETH/USD price and stETH/ETH price. There is no check that the sequencer is down.

Impact

It impacts the purchase of fertilizer (using chainlink orcale to get fertilizer amount) and well price.

Tools Used

manual

Recommendations

It is recommended to follow the code example of Chainlink: https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

L2 Sequencer check

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.