Closed code423n4 closed 11 months ago
asselstine marked the issue as sponsor confirmed
@asselstine aren't the Natspec comments here as a reminder for the dev and not to say that the functions actually implement these checks?
This reports shows that getBalanceAt
and getTwabBetween
don't check when there are multiple observations that these observations are coherent with the requested time (check 3 in the report). It shows that this could lead to incorrect results for anyone querying these functions, but not how the accounting of the protocol or the internal functionalities are broken.
Picodes marked the issue as satisfactory
Picodes marked the issue as duplicate of #464
@Picodes I confirmed this one as I think the TwabController shouldn't be a leaky abstraction; it puts too much onus on the user to not shoot themselves in the foot.
Lines of code
https://github.com/GenerationSoftware/pt-v5-twab-controller/blob/0145eeac23301ee5338c659422dd6d69234f5d50/src/libraries/TwabLib.sol#L278-L321 https://github.com/GenerationSoftware/pt-v5-twab-controller/blob/0145eeac23301ee5338c659422dd6d69234f5d50/src/libraries/TwabLib.sol#L254-L276
Vulnerability details
Impact
The Natspec of both
getBalanceAt
andgetTwabBetween
functions indicates that they should implement the functionsisTimeSafe
andisTimeRangeSafe
(respectively) to ensure that the queried timestamps are safe, but both functions don't implement them which can lead both functions to return wrong values which in the end will impact the protocol accounting as those function are used to fetch the users balances fro a given period.Proof of Concept
I will start by explaining what the functions
isTimeSafe
andisTimeRangeSafe
actually do. TheisTimeRangeSafe
is basically a double call to the functionisTimeSafe
for the start and end timestamps provided to it, so to understand what both functions are doing we should look atisTimeSafe
:The functions working can be resumed into performing 3 checks :
1- A check in the case there is no observations or just a single one.
2- A check on the newest observation to see if the target time is after it.
3- A check to see if the target time is in a period between the old period and the next period.
We can see in the Natspec on the
getBalanceAt
function that it is supposed to useisTimeSafe
to ensure timestamps are safe ;And also in the Natspec of the
getTwabBetween
function, it is said that the functionisTimeRangeSafe
should be used to ensure the timestamps are safe :But as we can see both code snippets above both
isTimeSafe
andisTimeRangeSafe
were not used in either of the functions.We can also notice that both function make calls to the
_getPreviousOrAtObservation
function, and by going through its logic we can easily see that it contains the first two checks implemented by the functionisTimeSafe
but it doesn't contain the last check :Because the function
_getPreviousOrAtObservation
does not contain the last check on the periods, both functionsgetBalanceAt
andgetTwabBetween
can return a wrong result, and because they are used by the protocol to fetch the balance of users (or vaults), this issue can cause problems to the good working of the system.Tools Used
Manual review
Recommended Mitigation Steps
To resolve this issue i recommend to add a check on the previous and next periods found in
_getPreviousOrAtObservation
, this will ensure that the function will behave as does the functionisTimeSafe
and will ensure that the queried timestamps are safe in bothgetBalanceAt
andgetTwabBetween
.Assessed type
Invalid Validation