No check for active Arbitrum Sequencer in `PriceOracle`

[hats-bug-reporter[bot]]

Github username: -- Twitter username: p_tolev Submission hash (on-chain): 0x3587663b56f6e3692983dd8491f33e2daa72c021b4358227f6569fb8819a9bca Severity: low

Description: Description\ Chainlink advises all Optimistic L2 oracles to consult the Sequencer Uptime Feed, ensuring the sequencer is live before trusting the data returned by the oracle. This check is bypassed in the PriceOracle._latestRoundData() function, which is later used to convert the asset price to USD in PriceOracleAbstract.convertToUSD18Decimals().

Attack Scenario\ If the Arbitrum Sequencer becomes unavailable, the oracle data will not update, potentially becoming stale. Despite this, users can continue interacting with the protocol. Please refer to Chainlink's documentation on L2 Sequencer Uptime Feeds for more information.

Consequently, users might operate the protocol while oracle feeds are stale, leading to several potential issues. Here's a simple example:

1. A user has an account with 100 tokens, each valued at 1 ETH, with no borrows.
2. The Arbitrum sequencer temporarily goes offline.
3. During this downtime, the token price drops to 0.5 ETH each.
4. This leads to an incorrect conversion of the token price to USD.

Attachments

1. Proof of Concept (PoC) File

2. Revised Code File (Optional)

Files:

• PriceOracle.sol (https://hats-backend-prod.herokuapp.com/v1/files/QmSu96TTpcFR59F7hfVUsrDqR8n2YS9bGyEqFeeJxziosA)

[langnavina97]

DUPLICATE #28

The PriceOracleL2 contract already includes the necessary checks to ensure the sequencer's status is verified, preventing the usage of stale prices. This mitigates the risk described in the attack scenario.