search

sherlock-audit / 2023-07-blueberry-judging

2 stars 1 forks source link

Oxhunter526 - `ChainlinkAdapterOracleL2` Susceptible to DoS Due to Lack of Error Handling #90

Closed sherlock-admin2 closed 1 year ago

sherlock-admin2 commented 1 year ago

Oxhunter526

medium

ChainlinkAdapterOracleL2 Susceptible to DoS Due to Lack of Error Handling

Summary

The ChainlinkAdapterOracleL2 contract, designed to fetch price data from Chainlink's data feeds on Layer 2 networks, lacks adequate error handling and fallback logic. Specifically, the contract heavily relies on Chainlink's latestRoundData() function to retrieve the latest price data. However, without proper error handling, this reliance poses a risk of potential denial of service (DoS) attacks. If the contract's access to the Chainlink data feed is denied or encounters an error, the contract will revert, leading to a potential permanent disruption in querying prices.

Vulnerability Detail

The vulnerability stems from the getPrice function within the ChainlinkAdapterOracleL2 contract. This function employs the Chainlink latestRoundData() function to fetch price information. However, it does not implement any fallback mechanism to handle situations where access to the Chainlink data feed is denied. Consequently, if the Chainlink multisigs decide to block the contract's access to the data feed, the contract will permanently fail to query prices, rendering it unable to provide accurate price information.\

// Vulnerable function in ChainlinkAdapterOracleL2 contract
function getPrice(address token_) external view override returns (uint256) {
    // ...

    // Fetch L2 sequencer status
    (, int256 answer, uint256 startedAt, , ) = sequencerUptimeFeed.latestRoundData();

    // ...

    // Fetch the price from the Chainlink feed
    (uint80 roundID, int256 price, , uint256 updatedAt, uint80 answeredInRound) = AggregatorV3Interface(priceFeed).latestRoundData();

    // ...

    return (price.toUint256() * Constants.PRICE_PRECISION) / Constants.CHAINLINK_PRICE_FEED_PRECISION;
}

Impact

Price data unavailability hampers value assessments and triggers operational instability, causing economic disruptions.

Code Snippet

Link

Tool used

Manual Review

Recommendation

The contract should implement proper error handling and fallback logic within the getPrice function.

sherlock-admin2 commented 1 year ago

2 comment(s) were left on this issue during the judging contest.

0xyPhilic commented:

invalid because the chances of this occuring are very small and issue can be considered informational

darkart commented:

Invalid