robmi10
commented
5 months ago Escalate This is valid because they are going to deploy on Arbitrum and they haven't implemented any L2 sequencer to check if the oracle is down.
Closed sherlock-admin4 closed 5 months ago
robmi10
commented
5 months ago Escalate This is valid because they are going to deploy on Arbitrum and they haven't implemented any L2 sequencer to check if the oracle is down.
sherlock-admin3
commented
5 months ago Escalate This is valid because they are going to deploy on Arbitrum and they haven't implemented any L2 sequencer to check if the oracle is down.
The escalation could not be created because you are not exceeding the escalation threshold.
You can view the required number of additional valid issues/judging contest payouts in your Profile page, in the Sherlock webapp.
0xjuaan
commented
5 months ago See the contest readme, it is assumed the sequencer won't misbehave
robmi10
commented
5 months ago @0xjuaan Yes I saw it now thx! But thats a weird assumption to make because the risk is still there.
0xrobsol
high
L2 Sequencer Reliability and Oracle Data Freshness
Summary
The function _getOraclePriceUSD retrieves the latest oracle price data for use within the smart contract. This function assumes that the L2 sequencer is always operational and that the oracle data is timely. However, the potential downtime or delays of the L2 sequencer, especially in environments such as Arbitrum, may not be adequately addressed, leading to the use of stale or outdated data.
Vulnerability Detail
The function _getOraclePriceUSD fetches the latest round data from a specified oracle, which includes the price and the time of the last update. The function checks if the current block timestamp minus the updatedAt timestamp exceeds a maximum allowed duration, maxOracleUpdateDuration, and reverts if it does. While this checks for data staleness, it does not account for the possibility that the L2 sequencer itself could be down or experiencing delays, impacting the reliability and freshness of the oracle data.
Impact
If the L2 sequencer is delayed or offline, the oracle data might not be updated as expected, even if the data itself is within the allowed time frame from the last successful update. This could lead to scenarios where outdated pricing information is used for critical financial decisions within the smart contract, potentially resulting in financial losses, incorrect tx executions etc.
Code Snippet
https://github.com/sherlock-audit/2024-03-arrakis/blob/main/valantis-hot/src/HOTOracle.sol#L138-L149
Tool used
Manual Review
Recommendation
Integrate a mechanism to verify the operational status of the L2 sequencer before fetching and using oracle data. Here is how you can implement it -> https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code