Closed sherlock-admin closed 6 months ago
Invalid based on sherlock rules, given external admins are deemed as trusted in contest details here
- Chain re-org and network liveness related issues are not considered valid. Exception: If an issue concerns any kind of a network admin (e.g. a sequencer), can be remedied by a smart contract modification, the protocol team considers external admins restricted and the considered network was explicitly mentioned in the contest README, it may be a valid medium. It should be assumed that any such network issues will be resolved within 7 days, if that may be possible.
cu5t0mPe0
high
No check for active L2 Sequencer
Summary
Using Chainlink in L2 chains such as Arbitrum requires to check if the sequencer is down to avoid prices from looking like they are fresh although they are not according to their [recommendation](https://docs.chain.link/data-feeds/l2-sequencer-feeds#arbitrum)
Vulnerability Detail
The functions getOneFeedPrice and getTwoFeedPriceDiv and getTwoFeedPriceMul in the contract ChainlinkPriceFeeds will call _getFeedPrice, but these functions will not check whether the sequencer has been closed.
Although a try-catch statement is used to capture exceptions from external contracts, when the sequencer is closed, it will not send revert. The specific implementation is as follows:
https://vscode.blockscan.com/arbitrum-one/0xC1303BBBaf172C55848D3Cb91606d8E27FF38428
Impact
If the sequencer goes down, the protocol will allow users to continue to operate at the previous (stale) rates and this can be leveraged by malicious actors to gain unfair advantage.
Code Snippet
https://github.com/sherlock-audit/2023-11-olympus/blob/main/bophades/src/modules/PRICE/submodules/feeds/ChainlinkPriceFeeds.sol#L174-L199
Tool used
Manual Review
Recommendation
It is recommended to follow the Chailink [example code](https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code)