V3Oracle.sol used an incorrect price difference validation logic which produced inconsistent results depending on which of the prices being compared ( ChainLink & TWAP) is bigger at the moment of comparison. As a result the price difference check inside _requireMaxDifference() was not validating properly if the configured max difference is violated.
Mitigation
PR-5 successfully mitigates the original issue by modifying _requireMaxDifference() so that it always uses the primary price as the base for the price difference calculations. This way the results are always consistent
Lines of code
Vulnerability details
C4 Issue
M-25: Asymmetric calculation of price difference
Issue Details
V3Oracle.sol
used an incorrect price difference validation logic which produced inconsistent results depending on which of the prices being compared ( ChainLink & TWAP) is bigger at the moment of comparison. As a result the price difference check inside_requireMaxDifference()
was not validating properly if the configured max difference is violated.Mitigation
PR-5 successfully mitigates the original issue by modifying
_requireMaxDifference()
so that it always uses the primary price as the base for the price difference calculations. This way the results are always consistentConclusion
Mitigation Confirmed