sherlock-admin2
commented
8 months ago 2 comment(s) were left on this issue during the judging contest.
panprog commented:
invalid, sequencer issues are invalid in sherlock, besides the underlying DEX price will prevent the usage of outdated oracle price
tsvetanovv commented:
According to Smilee Readme and Sherlock documentation this issue type is invalid
0xlucky
medium
Missing checks for whether L2 Sequencer is active
Summary
Using Chainlink in L2 chains such as Arbitrum requires to check if the sequencer is down to avoid prices from looking like they are fresh although they are not according to their recommendation
Vulnerability Detail
No check for oracle is down .
In another function where it is used there stale price feed is check but not for sequencer is down
Impact
If the sequencer goes down, the protocol will allow users to continue to operate at the previous (stale) rates and this can be leveraged by malicious actors to gain unfair advantage.
Code Snippet
https://github.com/sherlock-audit/2024-02-smilee-finance-sa9933/blob/47ce0894416e1b7cc75e8cc57e73d07d9dc5f987/smilee-v2-contracts/src/providers/chainlink/ChainlinkPriceOracle.sol#L117
Tool used
Manual Review
Recommendation
It is recommended to follow the code example of Chainlink: https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code