Jaraxxus - No check if Arbitrum L2 sequencer is down in Chainlink feeds

[sherlock-admin]

Jaraxxus

medium

No check if Arbitrum L2 sequencer is down in Chainlink feeds

Summary

Using Chainlink in L2 chains such as Arbitrum requires to check if the sequencer is down to avoid prices from looking like they are fresh although they are not.

The bug could be leveraged by malicious actors to take advantage of the sequencer downtime.

Vulnerability Detail

The protocol uses Chainlink to query the latest data and mentions that they will be using Arbitrum to launch their protocol. There is no check that the sequencer is down.

    function getLatestRound(ChainlinkAggregator self) internal view returns (ChainlinkRound memory) {
        (uint80 roundId, int256 answer, , uint256 updatedAt, ) =
            AggregatorProxyInterface(ChainlinkAggregator.unwrap(self)).latestRoundData();
        return ChainlinkRound({roundId: roundId, timestamp: updatedAt, answer: answer});
    }

    /**
     * @notice Returns a specific round's data for a specific feed
     * @param self Chainlink Feed Aggregator to operate on
     * @param roundId The specific round to fetch data for
     * @return Specific round's data
     */
    function getRound(ChainlinkAggregator self, uint256 roundId) internal view returns (ChainlinkRound memory) {
        (, int256 answer, , uint256 updatedAt, ) =
            AggregatorProxyInterface(ChainlinkAggregator.unwrap(self)).getRoundData(uint80(roundId));
        return ChainlinkRound({roundId: roundId, timestamp: updatedAt, answer: answer});
    }

Impact

Could potentially be exploited by malicious actors to gain an unfair advantage

Code Snippet

https://github.com/sherlock-audit/2023-05-perennial/blob/main/perennial-mono/packages/perennial-oracle/contracts/types/ChainlinkAggregator.sol#L32-L48

Tool used

Manual Review

Recommendation

Check that the sequencer is active when querying results

code example of Chainlink: https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code

Duplicate of #13