search

sherlock-audit / 2023-04-jojo-judging

7 stars 4 forks source link

GimelSec - Doesn't check If Arbitrum sequencer is down in `chainlinkAdaptor` #412

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

GimelSec

medium

Doesn't check If Arbitrum sequencer is down in chainlinkAdaptor

Summary

When using Chainlink in Arbitrum, it's important to ensure that Arbitrum Sequencer is active.

Vulnerability Detail

Chainlink is used in chainlinkAdaptor.getMarkPrice() https://github.com/sherlock-audit/2023-04-jojo/blob/main/smart-contract-EVM/contracts/adaptor/chainlinkAdaptor.sol#L43

    function getMarkPrice() external view returns (uint256 price) {
        int256 rawPrice;
        uint256 updatedAt;
        (, rawPrice, , updatedAt, ) = IChainlink(chainlink).latestRoundData();
        (, int256 USDCPrice,, uint256 USDCUpdatedAt,) = IChainlink(USDCSource).latestRoundData();
        require(
            block.timestamp - updatedAt <= heartbeatInterval,
            "ORACLE_HEARTBEAT_FAILED"
        );
        require(block.timestamp - USDCUpdatedAt <= heartbeatInterval, "USDC_ORACLE_HEARTBEAT_FAILED");
        uint256 tokenPrice = (SafeCast.toUint256(rawPrice) * 1e8) / SafeCast.toUint256(USDCPrice);
        return tokenPrice * 1e18 / decimalsCorrection;
    }

And it is said that the protocol is going to deploy on Arbitrum https://github.com/sherlock-audit/2023-04-jojo-rayn731/tree/main#q-on-what-chains-are-the-smart-contracts-going-to-be-deployed

Q: On what chains are the smart contracts going to be deployed?
Arbitrum

Impact

A stale price could be used when checking the safety of accounts.

Code Snippet

https://github.com/sherlock-audit/2023-04-jojo/blob/main/smart-contract-EVM/contracts/adaptor/chainlinkAdaptor.sol#L43

Tool used

Manual Review

Recommendation

Follow the code example from Chainlink: https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code

Duplicate of #101