Bauchibred - No check for sequencer uptime can lead to flawed implementations of the dutch orders since they could fail or execute at bad prices

[sherlock-admin2]

Bauchibred

medium

No check for sequencer uptime can lead to flawed implementations of the dutch orders since they could fail or execute at bad prices

Impact

The protocol implements a Dutch order mechanism to settle orders. However, there is no check for sequencer uptime, which would lead to auctions failing or executing at somewhat unfavorable prices(though acceptable).

The current implementation of orders allow to set a duration that the order is active If there's no bid on the auction after this period, it gets canceled. This would have serious consequences in the event of a network outage, as this means that all orders would now not go through, and in the case where the whole decay duration does not pass throguh while the network is out, then the seller would miss out on profit cause even if there was a buyer that would place a higher price for the order they wouldn't be able to do that while the network is out.

Network outages with relative frequency. For instance, Arbitrum suffered an hour-long outages a few weeks ago (source).

TLDR: Contract's core functionality does not take into account the fact that on L2s the sequencer could go down and as such would lead to a broken implementation of this functionality.

Proof of Concept

Consider the following scenario:

• An order(s) is placed and the dutch auction is initiated.
• The network experiences an outage, causing the sequencer to go offline.
• The auction(s) fail(s) to receive any bids within the startTime to endTime window due to the outage.
• The seller is forced to have a broken functionality, cause now the order can't be settled.

Code Snippet

https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/11cac67919e8a1303b3a3177291b88c0c70bf03b/gladius-contracts-internal/src/lib/DutchDecayLib.sol#L20-L26

Recommended Mitigation Steps

Consider integrating an external uptime feed such as Chainlink's L2 Sequencer Feeds. This would allow the protocol to invalidate an auction if the sequencer was ever offline during its duration. Alternatively, implement a mechanism to restart an auction if it has received no bids, or if the sequencer went down while it was live.

[sherlock-admin]

2 comment(s) were left on this issue during the judging contest.

PNS commented:

Chain re-org and network liveness related issues are not considered valid.

0xAadi commented:

Invalid: OOS