Missing Sequencer Uptime Check in Oracle Data Retrieval
Summary
QuantAMM retrieves oracle data without validating the Arbitrum sequencer status, which could lead to stale or incorrect price data being used when the sequencer is down.
Vulnerability Details
In UpdateWeightRunner.sol, the getData() function retrieves oracle price data without checking if the Arbitrum sequencer is operational
When deployed on Arbitrum, the contract should verify the sequencer's status before accepting oracle data, as the sequencer could be down. This is particularly important for Chainlink oracle implementations which require explicit sequencer uptime validation on Arbitrum.
Impact
Code can execute with prices that don’t reflect the current pricing resulting in a potential loss of funds for users or the protocol.
Recommendations
Add sequencer uptime validation before getting oracle data on L2 networks:
Chainlink’s official documentation provides an example implementation of checking L2 sequencers.
Lead Judging Commences
invalid_sequencer_status_chainlink_and_L2
LightChaser: ## [Medium-6] Missing checks for whether the L2 Sequencer is active ## [Low-22] Chainlink sequencer status is not checked
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.