ChainlinkAdapterOracle's getPrice() doesn't check if Arbitrum L2 sequencer is down
Summary
The smart contracts of Blueberry are going to be uploaded on both the Mainnet and Arbitrum
Using Chainlink in L2 chains such as Arbitrum requires to check if the sequencer is down to avoid prices from looking like they are fresh although they are not.
The bug could be leveraged by malicious actors to take advantage of the sequencer downtime.
Vulnerability Detail
There is a lack of a check if the L2 Arbitrum sequencer is down
function getPrice(address token_) external view override returns (uint256) {
// remap token if possible
address token = remappedTokens[token_];
if (token == address(0)) token = token_;
uint256 maxDelayTime = timeGaps[token];
if (maxDelayTime == 0) revert Errors.NO_MAX_DELAY(token_);
// Get token-USD price
uint256 decimals = registry.decimals(token, USD);
(, int256 answer, , uint256 updatedAt, ) = registry.latestRoundData(
token,
USD
);
if (updatedAt < block.timestamp - maxDelayTime)
revert Errors.PRICE_OUTDATED(token_);
if (answer <= 0) revert Errors.PRICE_NEGATIVE(token_);
return
(answer.toUint256() * Constants.PRICE_PRECISION) / 10 ** decimals;
}
}
Impact
Could potentially be exploited by malicious actors to gain an unfair advantage.
Example:
Users can get better borrows if the price is above the actual price
Users can avoid liquidations if the price is under the actual price
deadrxsezzz
medium
ChainlinkAdapterOracle's getPrice() doesn't check if Arbitrum L2 sequencer is down
Summary
The smart contracts of Blueberry are going to be uploaded on both the Mainnet and Arbitrum Using Chainlink in L2 chains such as Arbitrum requires to check if the sequencer is down to avoid prices from looking like they are fresh although they are not.
The bug could be leveraged by malicious actors to take advantage of the sequencer downtime.
Vulnerability Detail
There is a lack of a check if the L2 Arbitrum sequencer is down
Impact
Could potentially be exploited by malicious actors to gain an unfair advantage. Example:
Code Snippet
https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/oracle/ChainlinkAdapterOracle.sol#L77-#L98 Links to same issue in past Sherlock contests being validated as a Medium:
Tool used
Manual Review
Recommendation
It is recommended to follow the code example of Chainlink: https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code
Duplicate of #142