Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Unchecked Overflow in `self.weightedSum` of `updateValue` Function

bambooboo

Summary

In contracts/libraries/math/TimeWeightedAverage.sol, the function updateValue uses unchecked for updates but does not verify whether self.weightedSum will overflow. This could lead to serious issues if the value exceeds the maximum limit of uint256.

Vulnerability Details

In TimeWeightedAverage.sol#L134, the function updateValue computes a timeWeightedValue and adds it to self.weightedSum. However, the code does not check whether this addition causes an overflow.

function updateValue(
Period storage self,
uint256 newValue,
uint256 timestamp
) internal {
if (timestamp < self.startTime || timestamp > self.endTime) {
revert InvalidTime();
}
unchecked {
uint256 duration = timestamp - self.lastUpdateTime;
if (duration > 0) {
uint256 timeWeightedValue = self.value * duration;
if (timeWeightedValue / duration != self.value) revert ValueOverflow();
// Missing check for overflow when updating weightedSum
self.weightedSum += timeWeightedValue;
self.totalDuration += duration;
}
}
self.value = newValue;
self.lastUpdateTime = timestamp;
}

When self.weightedSum is updated, it does not verify whether the sum exceeds uint256's maximum value, which could lead to an overflow.

Impact

If an overflow occurs, it can lead to unintended behavior, incorrect TWAP calculations, and potentially cause loss of funds or incorrect trading decisions in protocols relying on this function.

Tools Used

Manual code review

Recommendations

Before adding timeWeightedValue to self.weightedSum, a check should be added to prevent overflow:

if (self.weightedSum + timeWeightedValue < self.weightedSum) revert ValueOverflow();

The corrected function:

function updateValue(
Period storage self,
uint256 newValue,
uint256 timestamp
) internal {
if (timestamp < self.startTime || timestamp > self.endTime) {
revert InvalidTime();
}
unchecked {
uint256 duration = timestamp - self.lastUpdateTime;
if (duration > 0) {
uint256 timeWeightedValue = self.value * duration;
if (timeWeightedValue / duration != self.value) revert ValueOverflow();
if (self.weightedSum + timeWeightedValue < self.weightedSum) revert ValueOverflow();
self.weightedSum += timeWeightedValue;
self.totalDuration += duration;
}
}
self.value = newValue;
self.lastUpdateTime = timestamp;
}

This ensures that the update does not cause an overflow, improving the function's safety and reliability.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!