search

sherlock-audit / 2023-12-arcadia-judging

19 stars 15 forks source link

PR-Security - `StakedStargateAM` won't work on some L2 chains #218

Closed sherlock-admin closed 9 months ago

sherlock-admin commented 9 months ago

PR-Security

medium

StakedStargateAM won't work on some L2 chains

Summary

The StakedStargateAM contract won't work on some L2 chains, as on some of those, there are no Chainlink price feeds for the reward tokens of the LPStakingTime contract

Vulnerability Detail

As it is stated in the contest README, the contracts in scope for this audit are intended to be deployed on all L2 chains:

On what chains are the smart contracts going to be deployed?

However, the StakedStargateAM contract will not be able to function properly on all of those. That's because on some of them, there are no Chainlink price feeds for the reward tokens of the LPStakingTime contract. This means that on those chains, the price of the reward tokens will not be able to be fetched, leading to the Regisrty::getCollateralValue and Regisrty::getLiquidationValue not being able to function with the StakedStargateAM and in turn, making the protocol unable to function with this particular asset module.

Such is the case on the Linea blockchain. As it can be seen, the LPStakingTime contract that is deployed on it has STG set as its reward token. And as it can be seen on the official page for the STG/USD price pair on the Chainlink website, there is no Chainlink STG/USD price feed on the Linea chain. In fact, there is no Chainlink price feed for the STG token on that chain at all.

Impact

The Stargate staking integration will not work on some chains

Code Snippet

AbstractStakingAM.sol#L162

Tool used

Manual Review

Recommendation

Implement an additional Oracle Module that will be able to price the tokens that do not have Chainlink price feeds on some chains

sherlock-admin2 commented 9 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

nevillehuang commented 9 months ago

Invalid, future integrations not explicitly mentioned, so invalid based on sherlock rules

Future issues: Issues that result out of a future integration/implementation that was not mentioned in the docs/README or because of a future change in the code (as a fix to another issue) are not valid issues.