Madalad - Missing check if Chainlink sequencer is down

[sherlock-admin]

Madalad

medium

Missing check if Chainlink sequencer is down

Summary

When utilizing Chainlink in L2 chains like Arbitrum or Optimism, it's important
to ensure that the prices provided are not falsely perceived as fresh, even
when the sequencer is down (source).

Vulnerability Detail

If the sequencer goes down, the oracle may return stale prices since L2-submitted transactions will not be processed.

Impact

If the price oracle retrieves an incorrect price, this could lead to unexpected behaviour throughout the protocol, such as undercollateralized loans or unfair liquidations, causing loss of funds.

Code Snippet

    function getPriceFromChainlink(address base, address quote) internal view returns (uint256) {
        (, int256 price,,,) = registry.latestRoundData(base, quote); // @audit missing check on timestamp
        require(price > 0, "invalid price");

        // Extend the decimals to 1e18.
        return uint256(price) * 10 ** (18 - uint256(registry.decimals(base, quote)));
    }

https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/oracle/PriceOracle.sol#L67

Tool used

Manual Review

Recommendation

Determine whether the sequencer is offline or not when attempting to retrieve a price from a Chainlink data feed.

Duplicate of #440