No check for Optimisim sequencer down in Chainlink feeds
Summary
Using Chainlink in L2 chains requires checking if the sequencer is down to prevent stale prices from looking like they're updated while it's not. The bug could be leveraged by malicious actors to take advantage of the sequencer downtime.
Vulnerability Detail
The assetPrice is used the get the the price of assets from chainlink price feeds, but there is no check that the sequencer is down
function assetPrice(IPriceFeed priceFeed) public view returns (uint256) {
if (address(priceFeed) == BASE_FEED) return basePrice;
int256 price = priceFeed.latestAnswer();
if (price <= 0) revert InvalidPrice();
return uint256(price) * baseFactor;
}
Impact
Malicious actors can take advantage of stale prices
mahdikarimi
high
No check for Optimisim sequencer down in Chainlink feeds
Summary
Using Chainlink in L2 chains requires checking if the sequencer is down to prevent stale prices from looking like they're updated while it's not. The bug could be leveraged by malicious actors to take advantage of the sequencer downtime.
Vulnerability Detail
The
assetPrice
is used the get the the price of assets from chainlink price feeds, but there is no check that the sequencer is downImpact
Malicious actors can take advantage of stale prices
Code Snippet
https://github.com/sherlock-audit/2024-04-interest-rate-model/blob/main/protocol/contracts/Auditor.sol#L326-L332
Tool used
Manual Review
Recommendation
Check if sequencer is down and use a backup oracle in this situation.