SamSteinGG
commented
2 years ago The TWAP oracle module has been completely removed and redesigned from scratch as LBTwap that is subject of the new audit.
Closed code423n4 closed 2 years ago
SamSteinGG
commented
2 years ago The TWAP oracle module has been completely removed and redesigned from scratch as LBTwap that is subject of the new audit.
Handle
cmichel
Vulnerability details
The
TWAPOracle.consultfunction is unclear to the auditor. It seems to iterate through all registered pairs that share thetokenparameter (USDV or VADER) and then sums up the foreign token pair pertokenprice. And divides this sum (sumNative) by the summed-up USD price of these foreign token pairs (sumUSD).I think the idea is to create some kind of average price but doing it like this does not seem to be effective because large prices are weighted a lot stronger than low prices.
Example
Assume there are 3 USDV pairs registered:
(ETH, DAI, USDC).Oracle Price: USDV/ETH 4500, USDV/DAI 1, USDV/USDC 1 Pool price: USDV/ETH 4500, USDV/DAI 10, USDV/USDC 10
Even though the DAI and USDC pool prices are off by 10x, the final result is
4502/4520 = 0.996017699very close to a price of1.0which seems strange.Recommended Mitigation Steps
Document how the algorithm works and make sure it's correct. Resolve the
TODO.