search

sherlock-audit / 2023-04-blueberry-judging

8 stars 5 forks source link

J4de - `ChainlinkAdapterOracle.sol#getPrice` function does not check `sequencerUptimeFeed` #69

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

J4de

medium

ChainlinkAdapterOracle.sol#getPrice function does not check sequencerUptimeFeed

Summary

ChainlinkAdapterOracle.sol#getPrice function does not check sequencerUptimeFeed

Vulnerability Detail

To use the chainlink oracle on the L2 chain, you must first check the sequencerUptimeFeed.

This is the official chainlink example: https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code

Impact

May result in an unexpected price.

Code Snippet

https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/oracle/ChainlinkAdapterOracle.sol#L77-L97

Tool used

Manual Review

Recommendation

    function getPrice(address token_) external view override returns (uint256) {
        // remap token if possible
        address token = remappedTokens[token_];
        if (token == address(0)) token = token_;

        uint256 maxDelayTime = timeGaps[token];
        if (maxDelayTime == 0) revert Errors.NO_MAX_DELAY(token_);

+       (, int256 answer, uint256 startedAt, , ) = sequencerUptimeFeed.latestRoundData();
+       // Answer == 0: Sequencer is up
+       // Answer == 1: Sequencer is down
+       bool isSequencerUp = answer == 0;
+       if (!isSequencerUp) { revert SequencerDown(); }

        // Get token-USD price
        uint256 decimals = registry.decimals(token, USD);
        (, int256 answer, , uint256 updatedAt, ) = registry.latestRoundData(
            token,
            USD
        );
        if (updatedAt < block.timestamp - maxDelayTime)
            revert Errors.PRICE_OUTDATED(token_);
        if (answer <= 0) revert Errors.PRICE_NEGATIVE(token_);

        return
            (answer.toUint256() * Constants.PRICE_PRECISION) / 10 ** decimals;
    }

Duplicate of #142