Missing Sequencer Uptime Feed Check in Chainlink Oracle
Summary
The Chainlink Oracle implementation does not validate sequencer uptime feeds as recommended by the Chainlink documentation. This oversight may lead to the use of invalid or stale data during sequencer downtime or the grace period after it comes back online, causing potential operational and financial risks.
Vulnerability Details
The `_getData` function of ChainlinkOracle.sol retrieves data from `priceFeed.latestRoundData()` without checking the status of the sequencer using a sequencer uptime feed. Optimistic Rollup protocols rely on sequencers to batch transactions and maintain network stability. When the sequencer is unavailable, most users cannot access L2 services, and the system should not rely on data feeds that are potentially stale or invalid.
Impact
• Use of Stale Data: During sequencer downtime, price feed data may not reflect the actual market state.
• Financial Losses: Applications using these data feeds could execute mass liquidations or other operations based on outdated information, leading to significant financial loss for users.
Tools Used
vscode
Recommendations
Lead Judging Commences
invalid_sequencer_status_chainlink_and_L2
LightChaser: ## [Medium-6] Missing checks for whether the L2 Sequencer is active ## [Low-22] Chainlink sequencer status is not checked
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.