nuthan2x - No check for active L2 Sequencer

[github-actions]

nuthan2x

medium

No check for active L2 Sequencer

Summary

Using Chainlink in L2 chains such as Arbitrum requires to check if the sequencer is down to avoid prices from looking like they are fresh although they are not according to their recommendation

Recent example issues

1. Vagner - getOraclePrice in SingleSidedLPVaultBase.sol does not check if the sequencer is down for Arbitrum/Optimism 2023-10-notional-judging#44

2. berndartmueller - Arbitrum sequencer downtime lasting before and beyond epoch expiry prevents triggering depeg 2023-03-Y2K-judging#422

Vulnerability Detail

not checking the l2 sequencer uptime will lead to exchanging the tokens at unintended price. Implement the checks listed in recommendation.

function getExpectedExchange(address yieldToken) external view returns (uint256) {
        uint256 expectedExchange;
        address[] memory token = new address[](1);
        uint256 totalToSwap = TokenUtils.safeBalanceOf(rewardToken, address(this));

        // Ensure that round is complete, otherwise price is stale.
        (
            uint80 roundID,
            int256 opToUsd,
            ,
            uint256 updateTime,
            uint80 answeredInRound
        ) = IChainlinkOracle(opToUsdOracle).latestRoundData();
        
        require(
            opToUsd > 0, 
            "Chainlink Malfunction"
        );

        if( updateTime < block.timestamp - 1200 seconds ) {
            revert("Chainlink Malfunction");
        }

        // Ensure that round is complete, otherwise price is stale.
        (
            uint80 roundIDEth,
            int256 ethToUsd,
            ,
            uint256 updateTimeEth,
            uint80 answeredInRoundEth
        ) = IChainlinkOracle(ethToUsdOracle).latestRoundData();
        
        require(
            ethToUsd > 0, 
            "Chainlink Malfunction"
        );

        if( updateTimeEth < block.timestamp - 1200 seconds ) {
            revert("Chainlink Malfunction");
        }

        // Find expected amount out before calling harvest
        if (debtToken == alUsdOptimism) {
            expectedExchange = totalToSwap * uint(opToUsd) / 1e8;
        } else if (debtToken == alEthOptimism) {
            expectedExchange = totalToSwap * uint(uint(opToUsd)) / uint(ethToUsd);
        } else {
            revert IllegalState("Invalid debt token");
        }

        return expectedExchange;
    }

Impact

If the sequencer goes down, the protocol will allow users to continue to operate at the previous (stale) rates and this can be leveraged by malicious actors with stale oracle prices.

Code Snippet

https://github.com/sherlock-audit/2024-04-alchemix/blob/9ab3992c554a66025262e5b2eebdb2a9c5b41534/v2-foundry/src/utils/collectors/OptimismRewardCollector.sol#L90-L117

Tool used

Manual Review

Recommendation

It is recommended to follow the Chailink example code

Duplicate of #14