Lines of code

https://github.com/code-423n4/2024-05-predy/blob/a9246db5f874a91fb71c296aac6a66902289306a/src/PriceFeed.sol#L45-L58

Vulnerability details

Impact

According to the README.md, the protocol will be deployed on L2 solutions like Arbitrum, Base and Optimism.

The getSqrtPrice function in the PriceFeed contract does not include a check to verify the uptime status of the L2 sequencer. This is crucial for protocols deployed on Layer 2 solutions where the sequencer's status can affect the reliability of price feeds.

With the absence of L2 Sequencer checks, stale or invalid prices may appear fresh.

Proof of Concept

The getSqrtPrice function is responsible for retrieving and calculating the square root of the base token price quoted in the quote token, however, it does not include a check for the status of the L2 Sequencer.

    function getSqrtPrice() external view returns (uint256 sqrtPrice) {
        (, int256 quoteAnswer,,,) = AggregatorV3Interface(_quotePriceFeed).latestRoundData();

        IPyth.Price memory basePrice = IPyth(_pyth).getPriceNoOlderThan(_priceId, VALID_TIME_PERIOD);

        require(basePrice.expo == -8, "INVALID_EXP");

        require(quoteAnswer > 0 && basePrice.price > 0);

        uint256 price = uint256(int256(basePrice.price)) * Constants.Q96 / uint256(quoteAnswer);
        price = price * Constants.Q96 / _decimalsDiff;

        sqrtPrice = FixedPointMathLib.sqrt(price);
    }

Without checking the L2 Sequencer status, the function might use stale or invalid price data during sequencer downtime, leading to incorrect or inconsistent price calculations which can be leveraged by malicious actors to gain unfair advantage.

Tools Used

Manual review

Recommended Mitigation Steps

Implement a check to verify the uptime status.

It is recommended to follow the Chainlink example code.

Assessed type

Other

code-423n4 / 2024-05-predy-validation

Missing L2 Sequencer status check in `getSqrtPrice` function #608