Invalid prices can be fetched from TWAP Oracle when pool liquidity is low
Summary
The price fetched from the TWAP Oracle is considered valid without checking the pool's liquidity when Chainlink's data is invalid. This allows the TWAP Oracle to return an invalid price which can be used for different protocol activities.
Vulnerability Details
The TWAP Oracle acts as a fallback when the data fetched from Chainlink is invalid. TWAP oracles with low liquidity are susceptible to manipulation, hence the need to check the pool's liquidity to ensure the price is valid. When Chainlink's data is considered invalid the price from the TWAP oracle is returned without considering the liquidity of the pool.
Impact
Invalid prices can be returned from the TWAP oracle which will be used in performing activities like creating shorts, asks and bids, giving an unfair advantage to an attacker.
Tools Used
Vscode
Recommendations
Check the liquidity of the TWAP Oracle's pool before returning its price when Chainlink's data is invalid.
Lead Judging Commences
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.