The check function retrieves a lastSnapshot from the wellOracleSnapshots mapping to calculate the time-weighted average change in reserve token balance (deltaB). However, the function does not perform any validation on the retrieved lastSnapshot data to ensure it is correctly formatted or contains valid reserve data before using it in calculations.
there is no explicit check to confirm that the lastSnapshot data is correctly formatted or that it contains valid reserve data. The function assumes that the snapshot retrieved from the wellOracleSnapshots mapping is already in the correct format and contains valid data. Here's the relevant code snippet:
The lastSnapshot is then used directly in the twaDeltaB function without further validation:
Without proper validation, there is a risk that the lastSnapshot could contain incorrect or manipulated data, leading to inaccurate deltaB calculations. This could affect the integrity of the oracle data, potentially resulting in erroneous adjustments to the reserve balances of tokens within the liquidity pool.
Manual review
Implement checks to verify that the lastSnapshot conforms to the expected data structure. This could include length checks and format checks based on the expected encoding of the snapshot.
Add logic to validate the contents of the lastSnapshot. This could involve checking that reserve values are within reasonable bounds and that the data is internally consistent.
Use cryptographic methods, such as checksums or hashes, to ensure that the lastSnapshot has not been tampered with since its last update.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.