Unvalidated Uniswap Oracle Zero Average Price

[code423n4]

Lines of code

https://github.com/code-423n4/2022-04-phuture/blob/594459d0865fb6603ba388b53f3f01648f5bb6fb/contracts/ManagedIndex.sol#L65-L72

Vulnerability details

Impact

When the pair has had little activity during the last 24 hours, price0Average' and 'price1Average can be zero (24 hours is the minimum interval for price refreshing). This might result in unpredictable behavior, such as inability to mint or redeem, or a condition that would result in users losing their funds.

Proof of Concept

According to the calculation, if priceNCumulative - priceNCumulativeLast is less than 86400 (24 hours), the price average will be zero.

Tools Used

None

Recommended Mitigation Steps

Add a zero value check on refreshing the average price.

[jn-lp]

Taking into account the logic of calculating the current price (it always depends on the timestamp of the block), we believe that these two values will never be equal, which means that their difference will not equal 0