Absence of lastSnapshot Data Validation in check Function
Summary
The check function retrieves a lastSnapshot from the wellOracleSnapshots mapping to calculate the time-weighted average change in reserve token balance (deltaB). However, the function does not perform any validation on the retrieved lastSnapshot data to ensure it is correctly formatted or contains valid reserve data before using it in calculations.
Vulnerability Details
there is no explicit check to confirm that the lastSnapshot data is correctly formatted or that it contains valid reserve data. The function assumes that the snapshot retrieved from the wellOracleSnapshots mapping is already in the correct format and contains valid data. Here's the relevant code snippet:
The lastSnapshot is then used directly in the twaDeltaB function without further validation:
Impact
Without proper validation, there is a risk that the lastSnapshot could contain incorrect or manipulated data, leading to inaccurate deltaB calculations. This could affect the integrity of the oracle data, potentially resulting in erroneous adjustments to the reserve balances of tokens within the liquidity pool.
Tools Used
Manual review
Recommendations
Implement checks to verify that the lastSnapshot conforms to the expected data structure. This could include length checks and format checks based on the expected encoding of the snapshot.
Add logic to validate the contents of the lastSnapshot. This could involve checking that reserve values are within reasonable bounds and that the data is internally consistent.
Use cryptographic methods, such as checksums or hashes, to ensure that the lastSnapshot has not been tampered with since its last update.
Lead Judging Commences
Informational/Invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.