Summary

The MultiFlowPump contract lacks a mechanism to rate limit the frequency of reserve updates. This absence could allow an attacker to spam the update function, potentially manipulating the reserves and affecting the price calculations derived from those reserves.

Vulnerability Details

The update function is designed to adjust the reserves based on new information. However, without checks to enforce a minimum interval between updates, there's nothing to prevent back-to-back calls that could be used to manipulate the contract's state. The contract uses block timestamps to calculate the time delta between updates, but it does not enforce a minimum waiting period. This means that if multiple blocks are mined in quick succession, each containing a transaction to update the reserves, the contract's state could be altered significantly within a short timeframe

Impact

An attacker could exploit the lack of rate limiting by performing rapid and numerous updates to the reserves, which could lead to artificial inflation or deflation of the values used in the contract's calculations. This could distort the expected behavior of the contract's geometric EMA and cumulative geometric SMA, leading to incorrect price oracles and potentially resulting in financial loss or gain for the attacker.

Tools Used

manual review

Recommendations

1. Introduce a variable that enforces a minimum time interval between successful calls to the update function. This could be a simple timestamp check that ensures a certain amount of time has passed since the last update.

2. ensure that updates can only occur once per block. This would prevent multiple updates within the same block, regardless of the block time.

3. Introduce a throttling mechanism that limits the number of updates that can be made over a larger time window, such as an hour or a day.