hals - `ChainlinkPriceOracle`: no check if Arbitrum L2 sequencer is down

[sherlock-admin2]

hals

medium

ChainlinkPriceOracle: no check if Arbitrum L2 sequencer is down

Summary

The protocol is supposed to be deployed initially on Arbitrum, then later on other L2s, and when using Chainlink price feeds in L2 chains; the sequencer must be checked if it's down to prevent using stale prices.

Vulnerability Detail

ChainlinkPriceOracle.getTokenPrice function is used to extract the price of an asset in USD, but it was noted that there's no check if the sequencer is down before consuming the returned price, which might result in using stale returned prices when the sequencer is down,

Impact

This could result in using invalid/stale prices.

Code Snippet

ChainlinkPriceOracle.getTokenPrice function

function getTokenPrice(address token) public view returns (uint256) {
        if (token == address(0)) {
            revert AddressZero();
        }

        address priceFeed = feeds[token].get();
        if (priceFeed == address(0)) {
            revert TokenNotSupported();
        }

        OracleValue memory price = _getFeedValue(priceFeed);

        // Protect against stale feeds:
        if (block.timestamp - price.lastUpdate > getPriceFeedMaxDelay(token)) {
            revert PriceTooOld();
        }

        return price.value;
    }

Tool used

Manual Review

Recommendation

Use sequencer oracle to determine whether the sequencer is offline or not, and revert getTokenPrice() if the sequencer is offline (link).

[sherlock-admin4]

3 comment(s) were left on this issue during the judging contest.

panprog commented:

invalid, sequencer issues are invalid in sherlock, besides the underlying DEX price will prevent the usage of outdated oracle price

tsvetanovv commented:

According to Smilee Readme and Sherlock documentation this issue type is invalid

takarez commented:

invalid