If _init()
is called with an empty reserves
array, it would initialize the oracle
without any reserve data
, which could lead to incorrect behavior in subsequent calculations that assume the presence of valid reserve data.
The update()
function is responsible for updating the oracle's state with new reserve
data. It calls _init()
internally when the oracle
is being used for the first time (indicated by lastTimestamp being 0
).
The issue arises because update()
does not check whether the reserves array
passed to it is non-empty before calling _init()
. If update()
is called with an empty reserves
array, _init()
will be called with this empty array, leading to the oracle being initialized with no reserve data.
There is a missing check for empty reserves
array here and therefore if update()
is called with an empty reserves array
, _init()
will set up the oracle
with no reserve data, which is not valid for an oracle that is supposed to track reserves.
Functions that rely on reserve data, such as readLastInstantaneousReserves(), readInstantaneousReserves(), readLastCumulativeReserves(), readCumulativeReserves()
, and readTwaReserves()
, would then revert everytime with NotInitialized()
error since numberOfReserves
will always be zero
.
Manual Review
_init()
should include a check to ensure that the reserves
array is not empty before proceeding with the initialization.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.