Time-Weighted Average Corruption via Backdated Updates
Summary
The TimeWeightedAverage library's updateValue function contains a significant design flaw that could enable manipulation of historical data within periods. While the current implementation's usage may not pose an immediate threat, this vulnerability warrants attention due to its potential impact in future implementations
Vulnerability Details
TimeWeightedAverage.sol:: UpdateValue()
Current Validation (Insufficient):
if (timestamp < self.startTime || timestamp > self.endTime) { revert InvalidTime(); }
The validation only checks if the timestamp falls within the period bounds.
Updates can be backdated within a period
No chronological order enforcement
Historical data manipulation possible.
Impact
Medium Risk - Latent Vulnerability
The vulnerability allows backdating updates within a period
Current implementation's usage limits practical exploitation
Time-weighted calculations could be corrupted
Future implementations could be severely impacted if this library is reused
While current usage patterns don't expose critical vulnerabilities, the design flaw represents a "time bomb" that could be exploited in future implementations. The library's fundamental role in time-weighted calculations makes this a significant concern for protocol security and data integrity.
Tools Used
Manual review
Recommendations
add an additional check:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.