code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Oracles/ChainlinkOracle.sol#L97-L113

Vulnerability details

Impact

Stable prices may be used after the sequence comes back online. If the Sequencer goes down, the protocol will allow users to continue to operate at the previous (stale) rates.

Proof of Concept

As I understand from Discord, this Moonwell will be deployed to Base chain. Base chain is one of newest L2 created by Coinbase.

This Moonwell will utilize an oracle from Chainlink, and based on https://docs.chain.link/data-feeds/l2-sequencer-feeds/ there is a sequencer that executes and rolls up the L2 transactions by batching multiple transactions into a single transaction. Knowing that Base is L2 which L1 is Ethereum, there is highly chance Chainlink will also introduce this sequencer on Base chain.

Chainlink recommends that all L2 oracles consult the Sequencer Uptime Feed to ensure that the sequencer is live before trusting the data returned by the oracle.

If the Sequencer goes down, oracle data will not be kept up to date, and thus could become stale. However, users are able to continue to interact with the protocol directly through the L1 contract. You can review Chainlink docs on L2 Sequencer Uptime Feeds for more details on this.

In lack of checks of Sequencer goes down, the transaction will be queued, resulting in the ability to use older prices as the timestamp from L1 will be the one of the original submission and not the one of the time of processing.

This is because L2 will enqueue the TX and store the original Timestamp from L1 at the time of original submission and not processing.

As a result, users may be able to use the protocol while oracle feeds are stale. This could cause all sorts of problems