[PNM-003] TWAV: The TWAV window is too small

[code423n4]

Lines of code

https://github.com/code-423n4/2022-06-nibbl/blob/8c3dbd6adf350f35c58b31723d42117765644110/contracts/Twav/Twav.sol#L12

Vulnerability details

Description

The window of TWAV is only 4 blocks, which is only 1 minute on Ethereum. Many layer-2 blockchains even have a much shorter block time. Attackers can easily manipulate the value.

We have seen a lot of hacks regarding to the short window in the wild, some typical ones are cited as follows.

• https://twitter.com/fringefinance/status/1511546405638352898
• https://medium.com/@hacxyk/we-rescued-4m-from-rari-capital-but-was-it-worth-it-39366d4d1812

Suggested Fix

Increase the window size.

[GalloDaSballo]

Finding doesn't have code / POC but is going for a High Severity

[HardlyDifficult]

Without an exploration of the potential impact here as it relates to Nibbl or a POC, this is QA type feedback. Merging with the warden's QA report #264