search

sherlock-audit / 2023-12-flatmoney-judging

11 stars 9 forks source link

Bjorn_Bug - No check if Base L2 sequencer is down in Chainlink feeds #159

Closed sherlock-admin closed 8 months ago

sherlock-admin commented 8 months ago

Bjorn_Bug

medium

No check if Base L2 sequencer is down in Chainlink feeds

Summary

Using Chainlink in L2 chains such as Base requires checking the Sequencer Uptime Feed to ensure that the sequencer is live before trusting the data returned by the Price Feed, If the Base Sequencer goes down, oracle data will not be kept up to date, and thus could become stale.

Vulnerability Detail

The _getOnchainPrice() function, used within _getPrice(), returns the on-chain price if offchainInvalid == true or when offchainTime < onchainTime

_getPrice function

if (offchainInvalid == false) {
            // return the freshest price
            if (offchainTime >= onchainTime) {
                price = offchainPrice;
                timestamp = offchainTime;
                offchain = true;
            } else {
                price = onchainPrice;
                timestamp = onchainTime;
            }
        } else {
            price = onchainPrice;
            timestamp = onchainTime;
        }

However, _getOnchainPrice doesn't check Sequencer Uptime Feed to confirm the sequencer's status. So, if the Base Sequencer is down, the protocol could end up using stale data.

Impact

This can lead to:

Code Snippet

https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/OracleModule.sol#L141 https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/OracleModule.sol#L106

Tool used

Manual Review

Recommendation

check the Sequencer Uptime Feed before consuming any price returned by a Chainlink Price Feed. The Chainlink documentation contains an example for how to check the sequencer status: https://docs.chain.link/data-feeds/l2-sequencer-feeds

Duplicate of #27

sherlock-admin commented 8 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

BjornBug commented 7 months ago

Could you explain why it it an invalid issue? Here is exactly the same issue was validated as meduim that convers the L2 sequencer: https://github.com/sherlock-audit/2023-06-dodo-judging/issues/13 @sherlock-admin @rcstanciu @Shogoki