To help your applications identify when the sequencer is unavailable, you can use a data feed that tracks the last known status of the sequencer at a given point in time. This helps you prevent mass liquidations by providing a grace period to allow customers to react to such an event.
The implementation of OracleModule.sol:_getOnchainPrice() lacks this validation, which can result in the protocol using an outdated price.
Impact
If the sequencer in Base goes down the oracle will return stale prices. In the case that the onchain oracle price is used because the offchain oracle price is invalid, the wrong price will be used for the calculations of the PnL and the liquidations.
shaka
medium
It is not checked whether the sequencer is down when fetching the price from Chainlink
Summary
It is not checked whether the sequencer is down when fetching the price from Chainlink.
Vulnerability Detail
Chainlink's price feeds in layer 2 networks are updated through the sequencer, which can become unavailable.
The Chainlink documentation states the following regarding its use in layer 2 networks:
The implementation of
OracleModule.sol:_getOnchainPrice()
lacks this validation, which can result in the protocol using an outdated price.Impact
If the sequencer in Base goes down the oracle will return stale prices. In the case that the onchain oracle price is used because the offchain oracle price is invalid, the wrong price will be used for the calculations of the PnL and the liquidations.
Code Snippet
https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/OracleModule.sol#L141-L157
Tool used
Manual review
Recommendation
Duplicate of #27