Skip to content
This repository has been archived by the owner on Nov 12, 2023. It is now read-only.

aviggiano - Chainlink adaptors don't check If Arbitrum sequencer is down #150

Closed
sherlock-admin opened this issue May 10, 2023 · 0 comments
Closed

aviggiano - Chainlink adaptors don't check If Arbitrum sequencer is down #150

sherlock-admin opened this issue May 10, 2023 · 0 comments
Labels
Non-Reward This issue will not receive a payout

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented May 10, 2023
edited by github-actions bot
Loading

aviggiano

medium

Chainlink adaptors don't check If Arbitrum sequencer is down

Summary

When utilizing Chainlink in L2 chains like Arbitrum, it's important to ensure that the prices provided are not falsely perceived as fresh, even when the sequencer is down. This vulnerability could potentially be exploited by malicious actors to gain an unfair advantage.

Vulnerability Detail

The functions JOJOOracleAdaptor.getAssetPrice and ChainlinkExpandAdaptor.getMarkPrice do not check if the sequencer is down or not.

If a sequencer becomes unavailable, it is impossible to access read/write APIs that consumers are using and applications on the L2 network will be down for most users without interacting directly through the L1 optimistic rollup contracts. The L2 has not stopped, but it would be unfair to continue providing service on your applications when only a few users can use them.

To help your applications identify when the sequencer is unavailable, protocols should use a data feed that tracks the last known status of the sequencer at a given point in time. This helps prevent mass liquidations by providing a grace period to allow customers to react to such an event.

References:

Impact

The price recorded by latestRoundData will be inaccurate since the true price won't be reported to the chain due to the sequence being down. This could lead to users being reported an outdated price.

  • Users can get better borrows if the price is above the actual price
  • Users can avoid liquidations if the price is under the actual price

Code Snippet

https://github.com/sherlock-audit/2023-04-jojo/blob/main/JUSDV1/src/oracle/JOJOOracleAdaptor.sol#L26-L35

https://github.com/sherlock-audit/2023-04-jojo/blob/main/smart-contract-EVM/contracts/adaptor/chainlinkAdaptor.sol#L43-L55

Tool used

Manual Review

Recommendation

It is recommended to follow the code example of Chainlink:
https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code

Duplicate of #101
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels May 17, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label May 30, 2023
@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Reward A payout will be made for this issue labels Jun 19, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin