Chainlink on L2 chains such as Arbitrum requires a check if the sequencer is down in order to avoid the usage of obsolete prices.
lines 97-113 in ChainlinkOracle.sol
function getChainlinkPrice(
AggregatorV3Interface feed
) internal view returns (uint256) {
(, int256 answer, , uint256 updatedAt, ) = AggregatorV3Interface(feed)
.latestRoundData();
require(answer > 0, "Chainlink price cannot be lower than 0");
require(updatedAt != 0, "Round is in incompleted state");
// Chainlink USD-denominated feeds store answers at 8 decimals
uint256 decimalDelta = uint256(18).sub(feed.decimals());
// Ensure that we don't multiply the result by 0
if (decimalDelta > 0) {
return uint256(answer).mul(10 ** decimalDelta);
} else {
return uint256(answer);
}
}
lines 180-195 in ChainlinkCompositeOracle.sol
function getPriceAndDecimals(
address oracleAddress
) public view returns (int256, uint8) {
(
uint80 roundId,
int256 price,
,
,
uint80 answeredInRound
) = AggregatorV3Interface(oracleAddress).latestRoundData();
bool valid = price > 0 && answeredInRound == roundId;
require(valid, "CLCOracle: Oracle data is invalid");
uint8 oracleDecimals = AggregatorV3Interface(oracleAddress).decimals();
return (price, oracleDecimals); /// price always gt 0 at this point
}
Proof of Concept
An incorrect price could be used in functions getPrice and getUnderlyingPrice invoked by the Comptroller and ChainlinkCompositeOracle which would put at risk the protocol's solvency.
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Oracles/ChainlinkOracle.sol#L97 https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Oracles/ChainlinkCompositeOracle.sol#L180
Vulnerability details
Impact
Chainlink on L2 chains such as Arbitrum requires a check if the sequencer is down in order to avoid the usage of obsolete prices.
lines 97-113 in ChainlinkOracle.sol
lines 180-195 in ChainlinkCompositeOracle.sol
Proof of Concept
An incorrect price could be used in functions
getPrice
andgetUnderlyingPrice
invoked by the Comptroller and ChainlinkCompositeOracle which would put at risk the protocol's solvency.Tools Used
Manual VS code
Recommended Mitigation Steps
It is recommended to follow the code example of Chainlink: https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code
Assessed type
Oracle