search

sherlock-audit / 2024-06-leveraged-vaults-judging

9 stars 8 forks source link

unRekt - Not checking if a sequencer is down or not in a function to fetch rate from oracle can lead to outdated and unordered data feed #132

Closed sherlock-admin3 closed 2 months ago

sherlock-admin3 commented 2 months ago

unRekt

Medium

Not checking if a sequencer is down or not in a function to fetch rate from oracle can lead to outdated and unordered data feed

Summary

Not checking the sequencer can lead to stale data feed

Vulnerability Detail

By not checking the sequencer in _getPTRate function of the PendlePTOracle.sol contract,it can lead to fetching of unordered and outdated data feeds, use the _checkSequencer function like its used in other functions of oracle

Similar issue in related to Chainlink sequencer: https://github.com/sherlock-audit/2022-11-sentiment-judging/issues/3

Impact

Not checking the sequencer can lead to stale data feed

Code Snippet

function _getPTRate() internal view returns (int256) {
        uint256 ptRate = useSyOracleRate ?
            Deployments.PENDLE_ORACLE.getPtToSyRate(pendleMarket, twapDuration) :
            Deployments.PENDLE_ORACLE.getPtToAssetRate(pendleMarket, twapDuration); 
        return ptRate.toInt();
    }

https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/main/leveraged-vaults-private/contracts/oracles/PendlePTOracle.sol#L85-L90

Tool used

Manual Review

Recommendation

Use _checkSequencer in _getPTRate

sherlock-admin2 commented 2 months ago

1 comment(s) were left on this issue during the judging contest.

0xmystery commented:

On L2, the Chainlink Sequencer oracle is checked and will cause any oracle checks to revert