Closed code423n4 closed 2 years ago
The severity of the finding should be reduced as it relies on ill behavior from its owner which is a multisignature address.
The severity rating is valid since the signers might not be aware of the limitation, or the limitation might be reached by natural means.
The TWAP oracle module has been completely removed and redesigned from scratch as LBTwap that is subject of the new audit.
Handle
TomFrench
Vulnerability details
Impact
Loss of ability of
TwapOracle
to update should too many pools be added.Proof of Concept
TwapOracle
allows an unlimited number of pairs to be added and has no way of removing pairs after the fact. At the same timeTwapOracle.update
iterates through all pairs in order to update value for each pair.https://github.com/code-423n4/2021-11-vader/blob/3a43059e33d549f03b021d6b417b7eeba66cf62e/contracts/twap/TwapOracle.sol#L322-L369
TwapOracle.registerPair
is a permissioned function so that only the owner can add new pairs however should the owner account be compromised or not mindful of the number of pairs being added it is possible to put the oracle into a state in which it is unable to update. The oracle cannot recover from this state.Recommended Mitigation Steps
Possible options: