DeFiHardhat
35,000 USDC
View results
Submission Details
Severity: low
Invalid

It is recommended that the `lookback` parameter be updated dynamically

Summary

The lookback parameter in the LibUsdOracle::getUsdPrice and LibUsdOracle::getTokenPrice functions should be dynamically updated.

Vulnerability Details

The LibUsdOracle::getUsdPrice function calls the LibUsdOracle::getUsdPrice function with second parameter equals to 0. The second parameter is the lookback. That means the instantaneous price is desired. Otherwise, it should be the TWAP lookback in seconds:

function getUsdPrice(address token) internal view returns (uint256) {
return getUsdPrice(token, 0);
}

Also, the LibUsdOracle::getTokenPrice function calls the LibUsdOracle::getTokenPrice function. This function also accepts as second parameter the lookback value. And this value is set to 0.

function getTokenPrice(address token) internal view returns (uint256) {
//note: lookback 0 means the price is the current
return getTokenPrice(token, 0);
}

Impact

If there is necessary the lookback value to be different than 0, there is no possibility to change it. The only way to change the lookback value in these functions will be if the contracts are re-deployed (that is not a solution).
Therefore, it is recommended the lookback value to be set to a variable that can be updated. In this way the time period can be changed by the owner of contract in accordance to the needs.

Tools Used

Manual Review

Recommendations

Define a variable (for example: lookback) and add a function that can update this variable. This function should be called only by the owner of contract:

function updateLookback (uint256 newLookback) internal onlyOwner {
lookback = newLookback;
}
Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

Informational/Invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.