The QuantAMMMathMovingAverage contract implements an exponential moving average calculation for price updates. The critical calculation occurs in _calculateQuantAMMMovingAverage():
The implementation uses fixed-point arithmetic with PRBMath's SD59x18, where values are scaled by 1e18. However, the order of operations in this calculation can lead to significant precision loss when dealing with large price values or extreme lambda parameters.
The issue arises because:
The subtraction _newData[i] - movingAverageI is performed first
This difference is then multiplied by oneMinusLambda
Finally, the result is added to movingAverageI
If _newData[i] and movingAverageI are large numbers, their difference might still be significant in absolute terms but could lose precision after the fixed-point multiplication with oneMinusLambda. This precision loss can be exploited by an attacker to manipulate the moving average in their favor.
For example:
If _newData[i] = 1e24 (1,000,000 * 1e18)
movingAverageI = 1e24 - 1e20
oneMinusLambda = 0.1 * 1e18
The calculation will lose significant digits in the multiplication step, potentially leading to an incorrect moving average.
Moving average calculations can be manipulated through precision loss, leading to incorrect price updates and potential economic attacks.
Restructure the calculation to minimize precision loss by rearranging the operations:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.