search

sherlock-audit / 2024-05-midas-judging

13 stars 6 forks source link

turvec - _getDataInBase18() doesn't check If Arbitrum sequencer is down in Chainlink feeds #140

Closed sherlock-admin4 closed 6 months ago

sherlock-admin4 commented 6 months ago

turvec

medium

_getDataInBase18() doesn't check If Arbitrum sequencer is down in Chainlink feeds

Summary

When utilizing Chainlink in L2 chains like Arbitrum, it's important to ensure that the prices provided are not falsely perceived as fresh, even when the sequencer is down. This vulnerability could potentially be exploited by unfreed users to gain an unfair advantage.

Vulnerability Detail

There is no check: _getDataInBase18

function _getDataInBase18()
        private
        view
        returns (uint80 roundId, uint256 answer)
    {
        uint8 decimals = aggregator.decimals();
  @>    (uint80 _roundId, int256 _answer, , uint256 updatedAt, ) = aggregator
            .latestRoundData();
        require(_answer > 0, "DF: feed is deprecated");
        require(
            // solhint-disable-next-line not-rely-on-time
            block.timestamp - updatedAt <= _HEALTHY_DIFF,
            "DF: feed is unhealthy"
        );
        roundId = _roundId;
        answer = uint256(_answer).convertToBase18(decimals);
    }

Impact

could potentially be exploited by unfreed users to gain an unfair advantage to break the minAmountToDeposit Invariant and execute deposit.

Code Snippet

https://github.com/sherlock-audit/2024-05-midas/blob/main/midas-contracts/contracts/feeds/DataFeed.sol#L64-L80

Tool used

Manual Review

Recommendation

code example of Chainlink: https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code

Duplicate of #82