Submission Details
Severity:
No checks if the L2 sequencer is active
Github link
Summary
Chainlink recommends that users using price oracles, check whether the L2 Sequencer is active.
Vulnerability Details
If the sequencer goes down, the chainlink oracles may have stale prices, since L2-submitted transactions (i.e. by the aggregating oracles) will not be processed.
File: LibChainlinkOracle.sol
70: // Secondly, try to get latest price data:
71: try priceAggregator.latestRoundData() returns (
72: uint80 roundId,
73: int256 answer,
74: uint256 /* startedAt */,
75: uint256 timestamp,
76: uint80 /* answeredInRound */)
...
113: try priceAggregator.latestRoundData() returns (
114: uint80 roundId,
115: int256 answer,
116: uint256 /* startedAt */,
117: uint256 timestamp,
118: uint80 /* answeredInRound */)
So the above functions might return incorrect prices.
Impact
The protocol might use a stale price from Chainlink oracles.
Tools Used
Manual Review
Recommendations
Use a chainlink oracle to determine whether the sequencer is offline or not.
Updates
Lead Judging Commences
inallhonesty 11 months ago
Submission Judgement Published Reason: Known issue
Assigned finding tags:
L2 Sequencer check
Prize pool breakdown
Total prize
250,000 USDC
nSLOC
12,28520 USDC / LOC
220,000 USDC
10,000 USDC
20,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.