c4-judge
commented
1 year ago Picodes marked the issue as satisfactory
Open code423n4 opened 1 year ago
c4-judge
commented
1 year ago Picodes marked the issue as satisfactory
Lines of code
Vulnerability details
Issue mitigated
About the problem
As described in the docs, pool together twab can't guarantee correct historical balances information for the periods that are not finalized yet, because they can be overwritten(observation will be updated) and balance can be manipulated in case if it is searched for such not finalized periods. Such problem was described in this report, which states, that
getTwabBetweenfunction doesn't check that_startTimeand_endTimeare timestamps in the finalized periods.Solution
Pool together has fixed that issue. Now they convert each timestamp to the corresponding period start timestamp and check that this timestamp is already finalized. So as result, request for the historical balances for the timestamps that are not finalized yet will revert and this bug is not present anymore.