Avci - getVestedFraction missed to check If Arbitrum sequencer is down

[sherlock-admin2]

Avci

medium

getVestedFraction missed to check If Arbitrum sequencer is down

Summary

getVestedFraction PriceTierVestingSale_2_0.sol missed checking If Arbitrum sequencer is down

Vulnerability Detail

pricetiervesting.sol contract is not in the scope however getVestedFraction function used PriceTierVestingSale_2_0.sol which is in scope

When utilizing Chainlink in L2 chains like Arbitrum, it's important to ensure that the prices provided are not falsely perceived as fresh, even when the sequencer is down. This vulnerability could potentially be exploited by malicious actors to gain an unfair advantage.

If the sequencer is down, messages cannot be transmitted from L1 to L2 and no L2 transactions are executed. Instead, messages are enqueued in the CanonicalTransactionChain on L1

https://github.com/sherlock-audit/2023-02-bond-judging/issues/1

https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code

https://github.com/sherlock-audit/2022-11-sentiment-judging/issues/3

https://github.com/sherlock-audit/2023-01-sentiment-judging/issues/16

On the L1 network:

1.A network of node operators runs the external adapter to post the latest sequencer status to the AggregatorProxy contract and relays the status to the Aggregator contract. The Aggregator contract calls the validate function in the OptimismValidator contract.

2.The OptimismValidator contract calls the sendMessage function in the L1CrossDomainMessenger contract. This message contains instructions to call the updateStatus(bool status, uint64 timestamp) function in the sequencer uptime feed deployed on the L2 network.

3.The L1CrossDomainMessenger contract calls the enqueue function to enqueue a new message to the CanonicalTransactionChain.

4.The Sequencer processes the transaction enqueued in the CanonicalTransactionChain contract to send it to the L2 contract.

On the L2 network:

1.The Sequencer posts the message to the L2CrossDomainMessenger contract.

2.The L2CrossDomainMessenger contract relays the message to the OptimismSequencerUptimeFeed contract.

3.The message relayed by the L2CrossDomainMessenger contains instructions to call updateStatus in the OptimismSequencerUptimeFeed contract.

4.Consumers can then read from the AggregatorProxy contract, which fetches the latest round data from the OptimismSequencerUptimeFeed contract.

Impact

could potentially be exploited by malicious actors to gain an unfair advantage.

Code Snippet

  function getClaimableAmount(address beneficiary) public view override returns (uint256) {
    if (records[beneficiary].initialized) return super.getClaimableAmount(beneficiary);

    // we can get the claimable amount prior to initialization
    return
      (getPurchasedAmount(beneficiary) * getVestedFraction(beneficiary, block.timestamp)) /
      fractionDenominator;
  }
}

https://github.com/sherlock-audit/2023-06-tokensoft/blob/cadbe297bc8bcc119f664d26afd7b8b1416633af/contracts/contracts/claim/PriceTierVestingSale_2_0.sol#L128

Tool used

Manual Review

Recommendation

The recommendation is to implement a check for the sequencer in the L2 version of the contract, and a code example of Chainlink can be found at https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code.

Duplicate of #64

[Shogoki]

Escalate This is a duplicate of #64 and should be judged the same. It was excluded because of unclear scope definitions (see my comments on #64)

[sherlock-admin2]

Escalate This is a duplicate of #64 and should be judged the same. It was excluded because of unclear scope definitions (see my comments on #64)

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

[hrishibhat]

Result: Medium Duplicate of #64

[sherlock-admin2]

Escalations have been resolved successfully!

Escalation status:

• Shogoki: accepted