Closed sherlock-admin closed 1 year ago
simon135
medium
Because the default configuration is a 30-minute twap it shouldn't be used its to slow
For tokens like ETH where the price can move rapidly, a 30-minute twap can give an old price, and attackers can steal funds
too old twap on rapid price movement tokens will cause loss of funds
https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-oracle/src/UniV3OracleImpl.sol#L275
(int24 arithmeticMeanTick,) = OracleLibrary.consult({pool: pool, secondsAgo: po.period});
The reason why it's not an owner misconfig is that the protocol itself will use this config so that's why its not an owners/misconfig issue.
Manual Review
make it not the default config and have more verifications and make it smaller then 30 minutes
Duplicate of #47
simon135
medium
The default configuration for the oralce shouldnt be used
Summary
Because the default configuration is a 30-minute twap it shouldn't be used its to slow
Vulnerability Detail
For tokens like ETH where the price can move rapidly, a 30-minute twap can give an old price, and attackers can steal funds
Impact
too old twap on rapid price movement tokens will cause loss of funds
Code Snippet
https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-oracle/src/UniV3OracleImpl.sol#L275
The reason why it's not an owner misconfig is that the protocol itself will use this config so that's why its not an owners/misconfig issue.
Tool used
Manual Review
Recommendation
make it not the default config and have more verifications and make it smaller then 30 minutes
Duplicate of #47