ChainLink oracle is not configured correctly.
Summary
LightChaser found bugs related to the chainlink oracle configuration regarding checking of the sequencer is up or down, should check for the min maxAnswer, stale price. These are all important checks but code misses one important check. The vulnerability arises in the Chainlink oracle configuration, specifically in the handling of the sequencer's status and the validity of the price data provided. The current code doesn't correctly handle scenarios where the sequencer is down and later comes back online.
Chainlink Docs - https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code
Vulnerability Details
Missed Grace Period Handling: After the sequencer comes back online, the code fails to enforce a grace period before using the price data from the Chainlink oracle. This could lead to the protocol using invalid or outdated prices immediately after the sequencer is back up.
Impact
Protocol can use wrong/ stale values from the chainlink oracle.
Tools Used
Manual Review
Recommendations
Add the following check
Lead Judging Commences
invalid_sequencer_status_chainlink_and_L2
LightChaser: ## [Medium-6] Missing checks for whether the L2 Sequencer is active ## [Low-22] Chainlink sequencer status is not checked
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.