Submission Details
Severity:
Incorrect Ternary operator used give TWAP when asked for Spot price & vice versa
Summary
Wrong Ternary operator in LibChainlinkOracle.sol 's getTokenPrice.sol function returns spot price when asked for TWAP price of asset and vice versa
Vulnerability Details
/**
* @dev Returns the TOKEN/USD price with the option of using a TWA lookback.
* Use `lookback = 0` for the instantaneous price. `lookback > 0` for a TWAP.
* Return value has 6 decimal precision.
* Returns 0 if `priceAggregatorAddress` is broken or frozen.
**/
function getTokenPrice(
address priceAggregatorAddress,
uint256 maxTimeout,
uint256 lookback
) internal view returns (uint256 price) {
return
lookback > 0 ///@audit < incorrect conditional
? getPrice(priceAggregatorAddress, maxTimeout)
: getTwap(priceAggregatorAddress, maxTimeout, lookback);
}
in the highlighted line when lookback is greater than 0 as explained in the code comments should return a TWAP price but it just returns spot price.
Impact
Though chainlink oracles are pretty manipulation resistant it breaks a core functionality of the code which is accessing TWAP price when required
Tools Used
Manual Review
Recommendations
function getTokenPrice(
address priceAggregatorAddress,
uint256 maxTimeout,
uint256 lookback
) internal view returns (uint256 price) {
return
lookback > 0 ///@audit < now corrected
? getTwap(priceAggregatorAddress, maxTimeout, lookback);
: getPrice(priceAggregatorAddress, maxTimeout)
}
Updates
Lead Judging Commences
inallhonesty 12 months ago
Submission Judgement Published Assigned finding tags:
getTokenPrice never gives TWAP
Prize pool breakdown
Total prize
250,000 USDC
nSLOC
12,28520 USDC / LOC
220,000 USDC
10,000 USDC
20,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.