Closed sherlock-admin3 closed 8 months ago
3 comment(s) were left on this issue during the judging contest.
panprog commented:
invalid, sequencer issues are invalid in sherlock, besides the underlying DEX price will prevent the usage of outdated oracle price
tsvetanovv commented:
According to Smilee Readme and Sherlock documentation this issue type is invalid
takarez commented:
invalid
smbv-1919
medium
No check if Arbitrum L2 sequencer is down in ChainlinkPriceOracle
Summary
-Using Chainlink Oracle in L2 chains such as Arbitrum requires to check if the sequencer is down to avoid prices from looking like they are fresh although they are not.
-The bug could be leveraged by malicious actors to take advantage of the sequencer downtime.
Vulnerability Detail
The getTokenPrice() is used the get the the price of a token. There is no check that the sequencer is down. https://github.com/sherlock-audit/2024-02-smilee-finance/blob/main/smilee-v2-contracts/src/providers/chainlink/ChainlinkPriceOracle.sol#L90 https://github.com/sherlock-audit/2024-02-smilee-finance/blob/main/smilee-v2-contracts/src/providers/chainlink/ChainlinkPriceOracle.sol#L110
Impact
-If the Arbitrum sequencer goes down, the protocol will allow users to continue to operate at the previous (stale) rates.
Code Snippet
https://github.com/sherlock-audit/2024-02-smilee-finance/blob/main/smilee-v2-contracts/src/providers/chainlink/ChainlinkPriceOracle.sol#L90 https://github.com/sherlock-audit/2024-02-smilee-finance/blob/main/smilee-v2-contracts/src/providers/chainlink/ChainlinkPriceOracle.sol#L110
Tool used
Manual Review
Recommendation
-It is recommended to follow the code example of Chainlink: https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code