Closed sherlock-admin closed 8 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
Could you explain why it it an invalid issue? Here is exactly the same issue was validated as meduim that convers the L2 sequencer: https://github.com/sherlock-audit/2023-06-dodo-judging/issues/13 @sherlock-admin @rcstanciu @Shogoki
Bjorn_Bug
medium
No check if Base L2 sequencer is down in Chainlink feeds
Summary
Using Chainlink in L2 chains such as Base requires checking the Sequencer Uptime Feed to ensure that the sequencer is live before trusting the data returned by the Price Feed, If the Base Sequencer goes down, oracle data will not be kept up to date, and thus could become stale.
Vulnerability Detail
The
_getOnchainPrice()
function, used within_getPrice()
, returns the on-chain price ifoffchainInvalid == true
or whenoffchainTime < onchainTime
_getPrice function
However,
_getOnchainPrice
doesn't check Sequencer Uptime Feed to confirm the sequencer's status. So, if the Base Sequencer is down, the protocol could end up using stale data.Impact
This can lead to:
canLiquidate
function, even if they should not be.Code Snippet
https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/OracleModule.sol#L141 https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/OracleModule.sol#L106
Tool used
Manual Review
Recommendation
check the Sequencer Uptime Feed before consuming any price returned by a Chainlink Price Feed. The Chainlink documentation contains an example for how to check the sequencer status: https://docs.chain.link/data-feeds/l2-sequencer-feeds
Duplicate of #27