search

sherlock-audit / 2023-04-blueberry-judging

8 stars 5 forks source link

tsvetanovv - Missing check for active Arbitrum Sequencer in `ChainlinkAdapterOracle.sol` #57

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

tsvetanovv

medium

Missing check for active Arbitrum Sequencer in ChainlinkAdapterOracle.sol

Summary

In Q&A we see:

On what chains are the smart contracts going to be deployed?

  • Mainnet, Arbitrum

You should always check for sequencer availability when using Chainlink's Arbitrum price feeds.

Vulnerability Detail

Optimistic rollup protocols move all execution of the layer 1 (L1) Ethereum chain, complete execution on a layer 2 (L2) chain, and return the results of the L2 execution back to the L1. These protocols have a sequencer that executes and rolls up the L2 transactions by batching multiple transactions into a single transaction.

If a sequencer becomes unavailable, it is impossible to access read/write APIs that consumers are using and applications on the L2 network will be down for most users without interacting directly through the L1 optimistic rollup contracts. The L2 has not stopped, but it would be unfair to continue providing service on your applications when only a few users can use them.

Reference

Impact

If the Arbitrum Sequencer goes down, oracle data will not be kept up to date, and thus could become stale.

Code Snippet

https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/oracle/ChainlinkAdapterOracle.sol#L24

Tool used

Manual Review

Recommendation

Check this example -> https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code

Duplicate of #142

cvetanovv commented 1 year ago

Escalate for 10 USDC

This issue is duplicated on #142

sherlock-admin commented 1 year ago

Escalate for 10 USDC

This issue is duplicated on #142

You've created a valid escalation for 10 USDC!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

ctf-sec commented 1 year ago

Valid escalation

hrishibhat commented 1 year ago

Escalation accepted

Valid duplicate of #142

sherlock-admin commented 1 year ago

Escalation accepted

Valid duplicate of #142

This issue's escalations have been accepted!

Contestants' payouts and scores will be updated according to the changes made on this issue.