QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

Absence of checks for L2 sequencer downtime

pontifex

Summary

Both ChainlinkOracle and MultiHopOracle lack an implementation to verify if the L2 Sequencer is currently non-operational.

Vulnerability Details

When utilizing Chainlink or other oracles with L2 networks like Arbitrum, it is crucial for smart contracts to verify the status of the L2 Sequencer to prevent the usage of outdated pricing data that may appear up-to-date.

function _getData() internal view override returns (int216, uint40) {
(, /*uint80 roundID*/ int data, , /*uint startedAt*/ uint timestamp, ) = /*uint80 answeredInRound*/
priceFeed.latestRoundData();
require(data > 0, "INVLDDATA");
data = data * int(10 ** normalizationFactor);
return (int216(data), uint40(timestamp)); // Overflow of data is extremely improbable and uint40 is large enough for timestamps for a very long time
}

Impact

The code may execute with prices that do not accurately represent the current market values, potentially leading to financial losses for users or the protocol.

Tools used

Manual Review

Recommendations

Refer to Chainlink’s official documentation for an example of how to implement checks for L2 sequencers.

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

invalid_sequencer_status_chainlink_and_L2

LightChaser: ## [Medium-6] Missing checks for whether the L2 Sequencer is active ## [Low-22] Chainlink sequencer status is not checked

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.