Breeje - Missing checks for whether Arbitrum Sequencer is active

[sherlock-admin]

Breeje

medium

Missing checks for whether Arbitrum Sequencer is active

Summary

Missing checks for whether Arbitrum Sequencer is active

Vulnerability Detail

It has been made clear that LimitOrderRegistry contract will be deployed on L2s like arbitrum as well,

Chainlink recommends that users using price oracles, check whether the Arbitrum sequencer is active

Link: https://docs.chain.link/data-feeds#l2-sequencer-uptime-feeds

If the sequencer goes down, the index oracles may have stale prices, since L2-submitted transactions (i.e. by the aggregating oracles) will not be processed.

Impact

Price used might be stale and Users are charged wrongly.

Code Snippet

File: LimitOrderRegisty.sol

  function getGasPrice() public view returns (uint256) {
        // If gas feed is set use it.
        if (fastGasFeed != address(0)) {
            (, int256 _answer, , uint256 _timestamp, ) = IChainlinkAggregator(fastGasFeed).latestRoundData();
            uint256 timeSinceLastUpdate = block.timestamp - _timestamp;
            // Check answer is not stale.
            if (timeSinceLastUpdate > FAST_GAS_HEARTBEAT) {
                // If answer is stale use owner set value.
                // Multiply by 1e9 to convert gas price to gwei
                return uint256(upkeepGasPrice) * 1e9;
            } else {
                // Else use the datafeed value.
                uint256 answer = uint256(_answer);
                return answer;
            }
        }
        // Else use owner set value.
        return uint256(upkeepGasPrice) * 1e9; // Multiply by 1e9 to convert gas price to gwei
    }

Link to Code

Tool used

Manual Review

Recommendation

Use sequencer oracle to determine whether the sequencer is offline or not, and don't allow orders to be executed while the sequencer is offline.

Duplicate of #65