You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When utilizing Chainlink in L2 chains like Arbitrum, it's important to ensure that the prices provided are not falsely perceived as fresh, even when the sequencer is down. This vulnerability could potentially be exploited by malicious actors to gain an unfair advantage.
Vulnerability Details
The library function for getting asset's price looks like this :
But there is no checks regarding the scenario if L2 squencer is not active . It will lead to scenario when false price may get fetched . Similar findings
Impact
False price may get fetched which will lead malicious users to gain an advantage .
Tools Used
Manual review .
Recommendations
Here's an code example from chainlink to mitigate the issue
The text was updated successfully, but these errors were encountered:
OracleLib.sol
doesn't check If Arbitrum sequencer is down in Chainlink feedsSeverity
Medium Risk
Relevant GitHub Links
https://github.com/Cyfrin/2023-07-foundry-defi-stablecoin/blob/main/src/libraries/OracleLib.sol#L21-L32
Summary
When utilizing Chainlink in L2 chains like Arbitrum, it's important to ensure that the prices provided are not falsely perceived as fresh, even when the sequencer is down. This vulnerability could potentially be exploited by malicious actors to gain an unfair advantage.
Vulnerability Details
The library function for getting asset's price looks like this :
But there is no checks regarding the scenario if L2 squencer is not active . It will lead to scenario when false price may get fetched .
Similar findings
Impact
False price may get fetched which will lead malicious users to gain an advantage .
Tools Used
Manual review .
Recommendations
Here's an code example from chainlink to mitigate the issue
The text was updated successfully, but these errors were encountered: