search

sherlock-audit / 2024-04-interest-rate-model-judging

2 stars 1 forks source link

mahdikarimi - No check for Optimisim sequencer down in Chainlink feeds #107

Closed sherlock-admin3 closed 2 months ago

sherlock-admin3 commented 2 months ago

mahdikarimi

high

No check for Optimisim sequencer down in Chainlink feeds

Summary

Using Chainlink in L2 chains requires checking if the sequencer is down to prevent stale prices from looking like they're updated while it's not. The bug could be leveraged by malicious actors to take advantage of the sequencer downtime.

Vulnerability Detail

The assetPrice is used the get the the price of assets from chainlink price feeds, but there is no check that the sequencer is down

  function assetPrice(IPriceFeed priceFeed) public view returns (uint256) {
    if (address(priceFeed) == BASE_FEED) return basePrice;

    int256 price = priceFeed.latestAnswer();
    if (price <= 0) revert InvalidPrice();
    return uint256(price) * baseFactor;
  }

Impact

Malicious actors can take advantage of stale prices

Code Snippet

https://github.com/sherlock-audit/2024-04-interest-rate-model/blob/main/protocol/contracts/Auditor.sol#L326-L332

Tool used

Manual Review

Recommendation

Check if sequencer is down and use a backup oracle in this situation.

santipu03 commented 2 months ago

The issue is invalid because it's a known issue according to the README.