vesla0xfa - Missing check if Base Sequencer is down in OracleModule

[sherlock-admin]

vesla0xfa

medium

Missing check if Base Sequencer is down in OracleModule

Summary

A good practice when using price oracles such as Chainlink or Pyth in L2 chains (i.e. Base) is to check the sequencer uptime feed before getting data from oracles. This prevents bad actors to take advantage from stale prices in case the sequencer is down.

Vulnerability Detail

If the sequencer goes down, prices would be falsely perceived as fresh, since L2-submitted transactions will not be processed.

Impact

Users can continue submitting orders and take advantage from stale prices if sequencer is down.

Code Snippet

https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/OracleModule.sol#L106-L108

// File: flatcoin-v1/src/OracleModule.sol    OracleModule._getPrice
106:     function _getPrice(uint32 maxAge) internal view returns (uint256 price, uint256 timestamp) {
107:         (uint256 onchainPrice, uint256 onchainTime) = _getOnchainPrice(); // will revert if invalid
108:         (uint256 offchainPrice, uint256 offchainTime, bool offchainInvalid) = _getOffchainPrice();

Tool used

vim, Foundry

Recommendation

Add a check for the sequencer uptime before consuming data from Oracles. Follow the example in the Chainlink docs: https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code

Duplicate of #27

[sherlock-admin]

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid