search

sherlock-audit / 2024-02-smilee-finance-judging

2 stars 1 forks source link

404Notfound - No check if L2 sequencer is down in Chainlink feeds #119

Closed sherlock-admin closed 8 months ago

sherlock-admin commented 9 months ago

404Notfound

medium

No check if L2 sequencer is down in Chainlink feeds

Summary

Using Chainlink in L2 chains such as Arbitrum requires checking if the sequencer is down to avoid prices from looking like they are fresh although they are not.

Malicious actors could leverage the bug to take advantage of the sequencer downtime.

Vulnerability Detail

Per the README.md, the protocol will be deployed on Arbitrum. When using Chainlink on Layer 2 (L2) chains like Arbitrum, it is essential to implement a check to determine the status of the sequencer. This validation is crucial to prevent prices from appearing up-to-date when, in reality, they are not due to sequencer downtime. However, the current implementation of the ChainlinkPriceOracle contract lacks this protective measure, leaving it susceptible to potential issues arising from the unavailability of the L2 chain.

    function _getFeedValue(address priceFeedAddr) internal view returns (OracleValue memory datum) {
        AggregatorV3Interface priceFeed = AggregatorV3Interface(priceFeedAddr);
        /*
            latestRoundData SHOULD raise "No data present"
            if they do not have data to report, instead of returning unset values
            which could be misinterpreted as actual reported values.
        */
        (, int256 answer, , uint256 updatedAt, ) = priceFeed.latestRoundData();

        if (answer < 0) {
            revert PriceNegative();
        }

        datum.value = AmountsMath.wrapDecimals(uint256(answer), priceFeed.decimals());
        datum.lastUpdate = updatedAt;
    }

Impact

If the sequencer goes down, the protocol will allow users to continue to operate at the previous (stale) rates.

Code Snippet

https://github.com/sherlock-audit/2024-02-smilee-finance/blob/main/smilee-v2-contracts/src/providers/chainlink/ChainlinkPriceOracle.sol#L110-L125

Tool used

Manual Review

Recommendation

It is recommended to follow the code example of Chainlink: https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code

sherlock-admin2 commented 8 months ago

3 comment(s) were left on this issue during the judging contest.

panprog commented:

invalid, sequencer issues are invalid in sherlock, besides the underlying DEX price will prevent the usage of outdated oracle price

tsvetanovv commented:

According to Smilee Readme and Sherlock documentation this issue type is invalid

takarez commented:

invalid