Stratax Contracts
First Flight #57
Beginner FriendlyDeFi
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Missing L2 Sequencer uptime check

chenxinjie65

Root + Impact

Description

  • The protocol intends to deploy on "All EVM-compatible chains", which includes Layer 2 solutions like Arbitrum and Optimism.

  • The StrataxOracle relies solely on Chainlink feeds but lacks a mechanism to check if the L2 Sequencer is active.

// @> Root cause: No validation of L2 Sequencer status before trusting price feeds.
function getPrice(address _token) public view returns (uint256 price) {
// ...

Risk

Likelihood:

  • L2 Sequencers occasionally go offline for maintenance or due to bugs.

Impact:

  • If the Sequencer goes down, Chainlink updates transaction execution halts, but the L2 state might still be readable/accessible via force inclusion (depending on the chain) or purely stale.

  • When the Sequencer comes back online, pending transactions are processed. Opportunistic traders can exploit the price difference between the stale L2 price and the real-world price before the Chainlink update transaction is processed.

Proof of Concept

.

Recommended Mitigation

Implement the Chainlink AggregatorV2V3Interface for the Sequencer Uptime Feed.

+ // Add interface and address for Sequencer Uptime Feed
+ function getPrice(address _token) public view returns (uint256 price) {
+ if (isL2) {
+ checkSequencerUptime();
+ }
+ // ... existing logic
+ }
Updates

Lead Judging Commences

izuman Lead Judge 16 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Price feed has no staleness check

StrataxOracle contract fails to check if the price is stale, which can mess up swap calculations.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!