Sequencer downtime is not checked when using Chainlink oracle
Summary
Chainlink used on Arbitrum should check sequencer downtime. This ensures that return prices are fresh even when sequencer is down. This can potentially be abused by adversaries to gain benefits at the cost of the protocol.
Vulnerability Detail
There is a missing check of sequencer downtime in the chainlink registry. Since protocol is intended to be deployed on Arbitrum, sequencer downtime should be checked. Chainlink documentation also warns users that sequencer downtime should be checked on L2s.
Impact
Incorrect pricing returned by the oracle can be abused by adversaries to gain benefits at cost of other users or the protocol.
yixxas
medium
Sequencer downtime is not checked when using Chainlink oracle
Summary
Chainlink used on Arbitrum should check sequencer downtime. This ensures that return prices are fresh even when sequencer is down. This can potentially be abused by adversaries to gain benefits at the cost of the protocol.
Vulnerability Detail
There is a missing check of sequencer downtime in the chainlink registry. Since protocol is intended to be deployed on Arbitrum, sequencer downtime should be checked. Chainlink documentation also warns users that sequencer downtime should be checked on L2s.
Impact
Incorrect pricing returned by the oracle can be abused by adversaries to gain benefits at cost of other users or the protocol.
Code Snippet
https://github.com/sherlock-audit/2023-05-perennial/blob/main/perennial-mono/packages/perennial-oracle/contracts/ChainlinkOracle.sol#L59-L79
Tool used
Manual Review
Recommendation
Consider referring to the correct implementation of Chainlink on L2s https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code
Duplicate of #13