Inadequate checks to confirm the correct status of the sequecnce/sequecncerUptimeFeed in PriceFeed.getPrice() contract.

[howlbot-integration]

Lines of code

https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/oracle/PriceFeed.sol#L63-L77

Vulnerability details

Bug Description

The PriceFeed contract has sequencerUptimeFeed checks in place to assert if the sequencer on an L2 is running but these checks are not implemented correctly. The chainlink docs say that sequencerUptimeFeed can return a 0 value for startedAt if it is called during an "invalid round".

Please note that an "invalid round" is described to mean there was a problem updating the sequencer's status, possibly due to network issues or problems with data from oracles, and is shown by a startedAt time of 0 and answer is 0. Further explanation can be seen as given by an official chainlink engineer as seen here in the chainlink public discord

https://discord.com/channels/592041321326182401/605768708266131456/1213847312141525002

This makes the implemented check below in the PriceFeed.getPrice() to be useless if its called in an invalid round.

            if (block.timestamp - startedAt <= GRACE_PERIOD_TIME) { 
                revert Errors.GRACE_PERIOD_NOT_OVER();
            }

as startedAt will be 0, the arithmetic operation block.timestamp - startedAt will result in a value greater than GRACE_PERIOD_TIME (which is hardcoded to be 3600) i.e block.timestamp = 1719739032, so 1719739032 - 0 = 1719739032 which is bigger than 3600. The code won't revert.

Imagine a case where a round starts, at the beginning startedAt is recorded to be 0, and answer, the initial status is set to be 0. Note that docs say that if answer = 0, sequencer is up, if equals to 1, sequencer is down. But in this case here, answer and startedAt can be 0 initially, till after all data is gotten from oracles and update is confirmed then the values are reset to the correct values that show the correct status of the sequencer.

From these explanations and information, it can be seen that startedAt value is a second value that should be used in the check for if a sequencer is down/up or correctly updated. The checks in PriceFeed.getPrice() will allow for sucessfull calls in an invalid round because reverts dont happen if answer == 0 and startedAt == 0 thus defeating the purpose of having a sequencerFeed check to assertain the status of the sequencerFeed on L2 i.e if it is up/down/active or if its status is actually confirmed to be either.

https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/oracle/PriceFeed.sol#L68C1-L76C14

            if (answer == 1) {
                // sequencer is down
                revert Errors.SEQUENCER_DOWN();
            }

            if (block.timestamp - startedAt <= GRACE_PERIOD_TIME) {
                // time since up
                revert Errors.GRACE_PERIOD_NOT_OVER();
            }

Impact

inadequate checks to confirm the correct status of the sequecncer/sequecncerUptimeFeed in PriceFeed.getPrice() contract will cause getPrice() to not revert even when the sequcncer uptime feed is not updated or is called in an invalid round.

Tools Used

manual review

Recommended Mitigation Steps

add a check that reverts if startedAt is returned as 0.

Assessed type

Oracle

[aviggiano]

This looks valid.

It's weird that the Chainlink sample code does not implement the check suggested by the documentation, as the warden points out.

Fixed in SizeCredit/size-solidity#140

[aviggiano]

CC smartcontractkit/documentation#1995

[hansfriese]

Nice catch!

[c4-judge]

hansfriese marked the issue as satisfactory

[c4-judge]

hansfriese marked the issue as selected for report