-
Notifications
You must be signed in to change notification settings - Fork 2
bin2chen - getPriceFromChainlink() doesn't check If Arbitrum sequencer is down in Chainlink feeds #440
Comments
Valid medium |
Regarding the mistake in the contest details mentioned in the We are aware of the absence of a registry on OP and Arb, as pointed out by some individuals. We would like to inquire if it is possible to offer the minimum reward for an oracle issue on L2. Thank you. |
We'll fix this when deploying on L2, but we disagree with Severity. I would consider this as Low |
According to past reports and sponsor confirmed that they will fix the issue. The issue will remain as a medium. |
Assuming this issue is acknowledged by the protocol team and won’t be fixed. |
bin2chen
medium
getPriceFromChainlink() doesn't check If Arbitrum sequencer is down in Chainlink feeds
Summary
When utilizing Chainlink in L2 chains like Arbitrum, it's important to ensure that the prices provided are not falsely perceived as fresh, even when the sequencer is down. This vulnerability could potentially be exploited by malicious actors to gain an unfair advantage.
Vulnerability Detail
There is no check:
getPriceFromChainlink
Impact
could potentially be exploited by malicious actors to gain an unfair advantage.
Code Snippet
https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/oracle/PriceOracle.sol#L66-L72
Tool used
Manual Review
Recommendation
code example of Chainlink:
https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code
The text was updated successfully, but these errors were encountered: