search

sherlock-audit / 2023-12-arcadia-judging

19 stars 15 forks source link

akhoronko - Missing checks for down L2 Sequencer in `Registry.getRateInUsd` function #207

Closed sherlock-admin2 closed 9 months ago

sherlock-admin2 commented 9 months ago

akhoronko

medium

Missing checks for down L2 Sequencer in Registry.getRateInUsd function

Summary

When using Chainlink with L2 chains, smart contracts must check whether the L2 Sequencer is down to avoid stale pricing data

Vulnerability Detail

There is no check for down sequencer:

    function getRateInUsd(bytes32 oracleSequence) external view returns (uint256 rate) {
     ...
        for (uint256 i; i < length; ++i) {
            if (baseToQuoteAsset[i]) {
                // @audit rate might be stale
                rate = rate.mulDivDown(IOracleModule(oracleToOracleModule[oracles[i]]).getRate(oracles[i]), 1e18);
            } else {
                // @audit rate might be stale
                rate = rate.mulDivDown(1e18, IOracleModule(oracleToOracleModule[oracles[i]]).getRate(oracles[i]));
            }
        }
    }

This function is used in Asset Module in getValue to return the USD value of an asset

Impact

If the L2 sequencer goes down, the protocol will allow users to continue to operate at the previous (stale) rates.

Code Snippet

https://github.com/sherlock-audit/2023-12-arcadia/blob/main/accounts-v2/src/Registry.sol#L580-L600

Tool used

Manual Review

Recommendation

Pass creditor asset as parameter and add sequencerNotDown modifier ( https://github.com/sherlock-audit/2023-12-arcadia/blob/main/accounts-v2/src/Registry.sol#L131 ) as it done in other oracle related functions (getValuesInUsd, getTotalValue, etc):

function getRateInUsd(address creditor, bytes32 oracleSequence) external view sequencerNotDown(creditor) returns (uint256 rate) {
    ...
}

Duplicate of #105

sherlock-admin2 commented 9 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid