Potential Arithmetic Overflow in TWAP Accumulator Calculation
Summary
This vulnerability report highlights a potential security issue related to the calculation of the TWAP (markPriceTwapData.accumulator) in the provided code snippet. The vulnerability arises when the deltaTime (time difference) becomes significantly larger than markPriceTwapData.lastPrice, leading to a potential arithmetic overflow.
Vulnerability Detail
The vulnerability lies in the code's calculation of markPriceTwapData.accumulator using the product of markPriceTwapData.lastPrice and deltaTime. If the deltaTime value becomes excessively large in comparison to markPriceTwapData.lastPrice, it can result in an arithmetic overflow during the addition, potentially leading to incorrect and unpredictable values for markPriceTwapData.accumulator.
Impact
Exploiting this vulnerability can lead to inaccuracies in the TWAP calculation. The overflow can result in an incorrect markPriceTwapData.accumulator value, which can affect various functionalities and calculations reliant on TWAP. The incorrect TWAP value can lead to erroneous pricing, trading decisions, and potential financial losses or inconsistencies within the system.
Before performing the calculation markPriceTwapData.accumulator += markPriceTwapData.lastPrice * deltaTime, validate that deltaTime is within a reasonable range. If the deltaTime exceeds a certain threshold, handle the situation appropriately to prevent overflow. This can be achieved by capping the maximum value of deltaTime or splitting the calculation into smaller intervals if necessary.
Hama
medium
Potential Arithmetic Overflow in TWAP Accumulator Calculation
Summary
This vulnerability report highlights a potential security issue related to the calculation of the TWAP (markPriceTwapData.accumulator) in the provided code snippet. The vulnerability arises when the deltaTime (time difference) becomes significantly larger than markPriceTwapData.lastPrice, leading to a potential arithmetic overflow.
Vulnerability Detail
The vulnerability lies in the code's calculation of markPriceTwapData.accumulator using the product of markPriceTwapData.lastPrice and deltaTime. If the deltaTime value becomes excessively large in comparison to markPriceTwapData.lastPrice, it can result in an arithmetic overflow during the addition, potentially leading to incorrect and unpredictable values for markPriceTwapData.accumulator.
Impact
Exploiting this vulnerability can lead to inaccuracies in the TWAP calculation. The overflow can result in an incorrect markPriceTwapData.accumulator value, which can affect various functionalities and calculations reliant on TWAP. The incorrect TWAP value can lead to erroneous pricing, trading decisions, and potential financial losses or inconsistencies within the system.
Code Snippet
https://github.com/sherlock-audit/2023-04-hubble-exchange/blob/main/hubble-protocol/contracts/AMM.sol#L481
Tool used
Manual Review
Recommendation
Before performing the calculation markPriceTwapData.accumulator += markPriceTwapData.lastPrice * deltaTime, validate that deltaTime is within a reasonable range. If the deltaTime exceeds a certain threshold, handle the situation appropriately to prevent overflow. This can be achieved by capping the maximum value of deltaTime or splitting the calculation into smaller intervals if necessary.