The recordTrade function in Pricing updates the currentHour variable by 1 every hour. However, if there is no trade (i.e., the recordTrade is not called) during this hour, the currentHour is out of sync with the actual hour. As a result, the averagePriceForPeriod function uses the prices before 24 hours and causes errors on the average price.
Handle
shw
Vulnerability details
Impact
The
recordTradefunction inPricingupdates thecurrentHourvariable by 1 every hour. However, if there is no trade (i.e., therecordTradeis not called) during this hour, thecurrentHouris out of sync with the actual hour. As a result, theaveragePriceForPeriodfunction uses the prices before 24 hours and causes errors on the average price.Proof of Concept
Referenced code: Pricing.sol#L90-L94
Recommended Mitigation Steps
Calculate how much time passed (e.g.,
(block.timestamp - startLastHour) / 3600) to update thecurrentHourvariable correctly.