getPrice() doesn't check If Arbitrum sequencer is down in Chainlink feeds
Summary
Not checking if the sequencer is down may result in bd actors obtaining inconsistent and unfair prices.
Vulnerability Detail
When utilizing Chainlink in L2 chains like Arbitrum, it's important to ensure that the prices provided are not falsely perceived as fresh, even when the sequencer is down. This vulnerability could potentially be exploited by malicious actors to gain an unfair advantage.
Example:https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code
There is no check in the ChainlinkAdapterOracle.sol
function getPrice(address token_) external view override returns (uint256) {
// remap token if possible
address token = remappedTokens[token_];
if (token == address(0)) token = token_;
uint256 maxDelayTime = timeGaps[token];
if (maxDelayTime == 0) revert Errors.NO_MAX_DELAY(token_);
// Get token-USD price
uint256 decimals = registry.decimals(token, USD);
(, int256 answer, , uint256 updatedAt, ) = registry.latestRoundData(
token,
USD
);
if (updatedAt < block.timestamp - maxDelayTime)
revert Errors.PRICE_OUTDATED(token_);
if (answer <= 0) revert Errors.PRICE_NEGATIVE(token_);
return
(answer.toUint256() * Constants.PRICE_PRECISION) / 10 ** decimals;
}
Impact
Could potentially be exploited by malicious actors to gain an unfair advantage.
Bauer
medium
getPrice() doesn't check If Arbitrum sequencer is down in Chainlink feeds
Summary
Not checking if the sequencer is down may result in bd actors obtaining inconsistent and unfair prices.
Vulnerability Detail
When utilizing Chainlink in L2 chains like Arbitrum, it's important to ensure that the prices provided are not falsely perceived as fresh, even when the sequencer is down. This vulnerability could potentially be exploited by malicious actors to gain an unfair advantage. Example:https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code There is no check in the ChainlinkAdapterOracle.sol
Impact
Could potentially be exploited by malicious actors to gain an unfair advantage.
Code Snippet
https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/oracle/ChainlinkAdapterOracle.sol#L77-L97
Tool used
Manual Review
Recommendation
Check if sequencer is down
Duplicate of #142