According to the README.md, the protocol will be deployed on L2 solutions like Arbitrum, Base and Optimism.
The getSqrtPrice function in the PriceFeed contract does not include a check to verify the uptime status of the L2 sequencer. This is crucial for protocols deployed on Layer 2 solutions where the sequencer's status can affect the reliability of price feeds.
With the absence of L2 Sequencer checks, stale or invalid prices may appear fresh.
Proof of Concept
The getSqrtPrice function is responsible for retrieving and calculating the square root of the base token price quoted in the quote token, however, it does not include a check for the status of the L2 Sequencer.
Without checking the L2 Sequencer status, the function might use stale or invalid price data during sequencer downtime, leading to incorrect or inconsistent price calculations which can be leveraged by malicious actors to gain unfair advantage.
Tools Used
Manual review
Recommended Mitigation Steps
Implement a check to verify the uptime status.
It is recommended to follow the Chainlink example code.
Lines of code
https://github.com/code-423n4/2024-05-predy/blob/a9246db5f874a91fb71c296aac6a66902289306a/src/PriceFeed.sol#L45-L58
Vulnerability details
Impact
According to the
README.md
, the protocol will be deployed on L2 solutions like Arbitrum, Base and Optimism.The
getSqrtPrice
function in thePriceFeed
contract does not include a check to verify the uptime status of the L2 sequencer. This is crucial for protocols deployed on Layer 2 solutions where the sequencer's status can affect the reliability of price feeds.With the absence of L2 Sequencer checks, stale or invalid prices may appear fresh.
Proof of Concept
The
getSqrtPrice
function is responsible for retrieving and calculating the square root of the base token price quoted in the quote token, however, it does not include a check for the status of the L2 Sequencer.Without checking the L2 Sequencer status, the function might use stale or invalid price data during sequencer downtime, leading to incorrect or inconsistent price calculations which can be leveraged by malicious actors to gain unfair advantage.
Tools Used
Manual review
Recommended Mitigation Steps
Implement a check to verify the uptime status.
It is recommended to follow the Chainlink example code.
Assessed type
Other