TWAP period could be very low and potentially allow an attacker to influence this
Summary
secondsAgo could be 10 seconds, a low figure that might be influenced by an attacker.
Vulnerability Detail
The protocol implements a functionality that is used to prevent outdated prices received by users. However, in the function, it is used as a secondsAgo value for calculating which in turn is used to get a price from.
The same secondsAgo is allowed to be as low as 10 seconds which is a very low value and could be influenced by an attacker
/// @notice Return USD price of given token, multiplied by 10**18.
/// @param token The vault token to get the price of.
/// @return price USD price of token in 18 decimals.
function getPrice(address token) external view override returns (uint256) {
// Maximum cap of timeGap is 2 days(172,800), safe to convert
uint32 secondsAgo = timeGaps[token].toUint32();
if (secondsAgo == 0) revert Errors.NO_MEAN(token);
address stablePool = stablePools[token];
if (stablePool == address(0)) revert Errors.NO_STABLEPOOL(token);
address poolToken0 = IUniswapV3Pool(stablePool).token0();
address poolToken1 = IUniswapV3Pool(stablePool).token1();
address stablecoin = poolToken0 == token ? poolToken1 : poolToken0; // get stable token address
uint8 stableDecimals = IERC20Metadata(stablecoin).decimals();
uint8 tokenDecimals = IERC20Metadata(token).decimals();
(int24 arithmeticMeanTick, ) = UniV3WrappedLibMockup.consult(
stablePool,
secondsAgo
);// @audit only check prvided for secondsAgo is that its not == 0?
uint256 quoteTokenAmountForStable = UniV3WrappedLibMockup
.getQuoteAtTick(
arithmeticMeanTick,
uint256(10 ** tokenDecimals).toUint128(),
token,
stablecoin
);
return
(quoteTokenAmountForStable * base.getPrice(stablecoin)) /
10 ** stableDecimals;
}
}
Impact
This may lead to wrong assumptions on the implementation of the protocol, and the wrong price being returned by the oracle.
Bauchibred
medium
TWAP period could be very low and potentially allow an attacker to influence this
Summary
secondsAgocould be 10 seconds, a low figure that might be influenced by an attacker.Vulnerability Detail
The protocol implements a functionality that is used to prevent outdated prices received by users. However, in the function, it is used as a
secondsAgovalue for calculating which in turn is used to get a price from.The same
secondsAgois allowed to be as low as 10 seconds which is a very low value and could be influenced by an attackerImpact
This may lead to wrong assumptions on the implementation of the protocol, and the wrong price being returned by the oracle.
Code Snippet
https://github.com/sherlock-audit/2023-04-blueberry/blob/96eb1829571dc46e1a387985bd56989702c5e1dc/blueberry-core/contracts/oracle/UniswapV3AdapterOracle.sol#L57-L90
Tool used
Manual Review
Recommendation
This might seem to simple but introducing a minimum duration for
secondsAgocould fix this