Submission Details
Severity:
LibChainlinkOracle can't use TWAP
Summary
Condition is reversed. Now it uses instant price when lookback is specified and uses TWAP with zero lookback (equal to instant price).
Vulnerability Details
Here you can see that condition is reversed:
function getTokenPrice(
address priceAggregatorAddress,
uint256 maxTimeout,
uint256 lookback
) internal view returns (uint256 price) {
return
@> lookback > 0
@> ? getPrice(priceAggregatorAddress, maxTimeout)
@> : getTwap(priceAggregatorAddress, maxTimeout, lookback);
}
Impact
LibChainlinkOracle.getTokenPrice() always returns current price even when lookback is specified. Core mechanism of using Chainlink TWAP doesn't work.
Tools Used
Manual Review
Recommendations
Reverse logic
function getTokenPrice(
address priceAggregatorAddress,
uint256 maxTimeout,
uint256 lookback
) internal view returns (uint256 price) {
return
lookback > 0
- ? getPrice(priceAggregatorAddress, maxTimeout)
- : getTwap(priceAggregatorAddress, maxTimeout, lookback);
+ ? getTwap(priceAggregatorAddress, maxTimeout, lookback);
+ : getPrice(priceAggregatorAddress, maxTimeout)
}
Updates
Lead Judging Commences
inallhonesty 11 months ago
Submission Judgement Published Assigned finding tags:
getTokenPrice never gives TWAP
Prize pool breakdown
Total prize
250,000 USDC
nSLOC
12,28520 USDC / LOC
220,000 USDC
10,000 USDC
20,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.