DeFiHardhatOracleProxyUpdates
100,000 USDC
View results
Submission Details
Severity: low
Invalid

Absence of lastSnapshot Data Validation in check Function

Summary

The check function retrieves a lastSnapshot from the wellOracleSnapshots mapping to calculate the time-weighted average change in reserve token balance (deltaB). However, the function does not perform any validation on the retrieved lastSnapshot data to ensure it is correctly formatted or contains valid reserve data before using it in calculations.

Vulnerability Details

there is no explicit check to confirm that the lastSnapshot data is correctly formatted or that it contains valid reserve data. The function assumes that the snapshot retrieved from the wellOracleSnapshots mapping is already in the correct format and contains valid data. Here's the relevant code snippet:

bytes memory lastSnapshot = LibAppStorage
.diamondStorage()
.wellOracleSnapshots[well];

The lastSnapshot is then used directly in the twaDeltaB function without further validation:

if (lastSnapshot.length > 0) {
(deltaB, , , ) = twaDeltaB(well, lastSnapshot);
}

Impact

Without proper validation, there is a risk that the lastSnapshot could contain incorrect or manipulated data, leading to inaccurate deltaB calculations. This could affect the integrity of the oracle data, potentially resulting in erroneous adjustments to the reserve balances of tokens within the liquidity pool.

Tools Used

Manual review

Recommendations

  1. Implement checks to verify that the lastSnapshot conforms to the expected data structure. This could include length checks and format checks based on the expected encoding of the snapshot.

  2. Add logic to validate the contents of the lastSnapshot. This could involve checking that reserve values are within reasonable bounds and that the data is internally consistent.

  3. Use cryptographic methods, such as checksums or hashes, to ensure that the lastSnapshot has not been tampered with since its last update.

Updates

Lead Judging Commences

giovannidisiena Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Too generic
Assigned finding tags:

Informational/Invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.