The project will be deployed on Ethereum Layer 2 networks such as Arbitrum and uses Chainlink Oracles for price feeds.
However, there is no checks if the L2 sequencer is active.
Vulnerability Detail
If the sequencer is not checked for activity and it goes down, this will result in the index oracles potentially having stale prices, as the L2-submitted transactions will not be processed.
This results in stale prices being provided for price of ETH in terms of the keeper token as these may be outdated prices prior to the downtime. These stale prices can hinder the keeper incentives which are crucial to well functioning of the project
Code Snippet
/// @notice Returns the price of ETH in terms of the keeper token
/// @return The price of ETH in terms of the keeper token
function _etherPrice() private view returns (UFixed18) {
(, int256 answer, , ,) = ethTokenOracleFeed().latestRoundData();
return UFixed18Lib.from(Fixed18Lib.ratio(answer, 1e8)); // chainlink eth-usd feed uses 8 decimals
}
Tool used
Manual Review
Recommendation
It is recommended to use sequencer oracle to determine whether the sequencer is offline or not by monitoring the status of the Arbitrum Sequencer, and don't allow transactions during these periods of inactivity.
MatricksDeCoder
medium
Missing checks for whether L2 sequences is active
Summary
The project will be deployed on Ethereum Layer 2 networks such as Arbitrum and uses Chainlink Oracles for price feeds. However, there is no checks if the L2 sequencer is active.
Vulnerability Detail
If the sequencer is not checked for activity and it goes down, this will result in the index oracles potentially having stale prices, as the L2-submitted transactions will not be processed.
Lines of code vulnerability -> https://github.com/sherlock-audit/2023-07-perennial/blob/main/root/contracts/attribute/Kept.sol#L62
Chainlink recommends that users using price oracles, check whether the Arbitrum sequencer is active. See details on sequencer feeds here -> https://docs.chain.link/data-feeds/l2-sequencer-feeds#arbitrum See details on sequencer uptime feeds here -> https://docs.chain.link/data-feeds#l2-sequencer-uptime-feeds See example Sherlock audit report with similar issues -> https://github.com/sherlock-audit/2023-04-blueberry-judging/issues/142
Impact
This results in stale prices being provided for price of ETH in terms of the keeper token as these may be outdated prices prior to the downtime. These stale prices can hinder the keeper incentives which are crucial to well functioning of the project
Code Snippet
Tool used
Manual Review
Recommendation
It is recommended to use sequencer oracle to determine whether the sequencer is offline or not by monitoring the status of the Arbitrum Sequencer, and don't allow transactions during these periods of inactivity.
Duplicate of #146