It is recommended that the `lookback` parameter be updated dynamically
Summary
The lookback parameter in the LibUsdOracle::getUsdPrice and LibUsdOracle::getTokenPrice functions should be dynamically updated.
Vulnerability Details
The LibUsdOracle::getUsdPrice function calls the LibUsdOracle::getUsdPrice function with second parameter equals to 0. The second parameter is the lookback. That means the instantaneous price is desired. Otherwise, it should be the TWAP lookback in seconds:
Also, the LibUsdOracle::getTokenPrice function calls the LibUsdOracle::getTokenPrice function. This function also accepts as second parameter the lookback value. And this value is set to 0.
Impact
If there is necessary the lookback value to be different than 0, there is no possibility to change it. The only way to change the lookback value in these functions will be if the contracts are re-deployed (that is not a solution).
Therefore, it is recommended the lookback value to be set to a variable that can be updated. In this way the time period can be changed by the owner of contract in accordance to the needs.
Tools Used
Manual Review
Recommendations
Define a variable (for example: lookback) and add a function that can update this variable. This function should be called only by the owner of contract:
Lead Judging Commences
Informational/Invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.