Closed sherlock-admin3 closed 3 months ago
skyge
medium
Arrakis is going to deployed on Ethereum, Arbitrum, Gnosis, so when using Chainlink on Arbitrum requires to check if the sequencer is down.
The bug could be leveraged by malicious actors to take advantage of the sequencer downtime.
There is a lack of a check if the L2 Arbitrum sequencer is down in valantis-hot/src/HOTOracle.sol.
valantis-hot/src/HOTOracle.sol
function _getOraclePriceUSD( AggregatorV3Interface feed, uint32 maxOracleUpdateDuration ) internal view returns (uint256 oraclePriceUSD) { (, int256 oraclePriceUSDInt, , uint256 updatedAt, ) = feed.latestRoundData(); if (block.timestamp - updatedAt > maxOracleUpdateDuration) { revert HOTOracle___getOraclePriceUSD_stalePrice(); } oraclePriceUSD = oraclePriceUSDInt.toUint256(); }
could potentially be exploited by malicious actors to gain an unfair advantage.
https://github.com/sherlock-audit/2024-03-arrakis/blob/main/valantis-hot/src/HOTOracle.sol#L138-L149
Manual Review
It is recommended to follow the code example of Chainlink: https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code
skyge
medium
Oracle doesn't check if Arbitrum Sequencer is active
Summary
Arrakis is going to deployed on Ethereum, Arbitrum, Gnosis, so when using Chainlink on Arbitrum requires to check if the sequencer is down.
The bug could be leveraged by malicious actors to take advantage of the sequencer downtime.
Vulnerability Detail
There is a lack of a check if the L2 Arbitrum sequencer is down in
valantis-hot/src/HOTOracle.sol.Impact
could potentially be exploited by malicious actors to gain an unfair advantage.
Code Snippet
https://github.com/sherlock-audit/2024-03-arrakis/blob/main/valantis-hot/src/HOTOracle.sol#L138-L149
Tool used
Manual Review
Recommendation
It is recommended to follow the code example of Chainlink: https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code