Hardcoded sequencerUptimeFeed Address
Summary
The initialize function hardcodes the sequencerUptimeFeed address to 0xFdB631F5EE196F0ed6FAa767959853A9F217697D. This approach has two major issues:
The hardcoded address is specific to ** Arbitrum **and will not work if the contract is deployed on Avalanche where the Chainlink Sequencer Uptime Feed has a different address.
The sequencerUptimeFeed cannot be updated after deployment, meaning if Chainlink changes the feed address in the future, the contract will break and require redeployment.
Vulnerability Details
The contract assumes that the sequencerUptimeFeed is always at 0xFdB631F5EE196F0ed6FAa767959853A9F217697D, which is only valid on Arbitrium.
On Avalanche, Chainlink uses a different address for the sequencer uptime feed, so calling this contract there will fail.
The address is set once during initialization and cannot be updated. If Chainlink updates or migrates its sequencer uptime feed contract in the future, the contract will become obsolete and require a full redeployment.
Impact
Any function using sequencerUptimeFeed on Avalanche will fail because the address is invalid.
If Chainlink migrates its Sequencer Uptime Feed contract, all interactions will fail, making the contract useless.
Tools Used
Manual Review
Recommendations
Instead of hardcoding, allow the sequencerUptimeFeed address to be set and updated after deployment.
Lead Judging Commences
finding_Avalanche_has_no_sequencer
Likelihood: High, run and runNextAction will revert. Impact: Low, any deposit will be retrieve thanks to cancelFlow.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.