Closed sherlock-admin2 closed 6 months ago
TWAP_MIN_OBSERVATION_WINDOW
is what it says it is - the minimum observation window. On line 71 of the Oracle.sol file, there is a check that the period is not less than TWAP_MIN_OBSERVATION_WINDOW
. The actual observation window is passed in by the calling contract, which in turn gets it from the PRICE asset configuration.
0xMR0
high
TWAP observation window period is very low allowing the TWAP price to be easily manipulated
Summary
TWAP observation window period is very low allowing the TWAP price to be easily manipulated
Vulnerability Detail
In
Oracle.sol
, the contract has used TWAP observation window period as 19 seconds.This period size means that the oracle will take a new observation after every single block, which would allow an attacker to easily flood the TWAP oracle and manipulate the price. The contracts will only be deployed on Ethereum mainet which produces blocks for every 12 seconds post Ethereum merge i.e after Proof of Stake(PoS). With the adoption of PoS, oracles are theoretically less secure because a malicious validator knows whether they control the next block.
TWAP_MINIMUM_OBSERVATION_SECONDS
is used ingetTimeWeightedTick()
to check the provided argument period i.e The period (in seconds) over which to calculate the time-weighted tick.getTimeWeightedTick()
is further used ingetTWAPRatio()
which returns the ratio of token1 to token0 based on the TWAP.getTWAPRatio()
is further extensively used inBunniPrice.sol
,UniswapV3Price.sol
andBunniSupply.sol
various functions which uses TWAP. All these contracts functionality is at risk due to low TWAP period which can be easily manipulated and the functions would return incorrect data.For more information on TWAP price manipulation, check this uniswap-v3 article.
Also, check this uniswap-v3 TWAP market risk article.
Impact
TWAP oracle easily manipulated leading to price manipulation. The functions discussed above are at risk to price manipulation which would also brick the functionality of contracts.
Code Snippet
https://github.com/sherlock-audit/2023-11-olympus/blob/main/bophades/src/libraries/UniswapV3/Oracle.sol#L20
Tool used
Manual Review
Recommendation
Increase the
TWAP_MINIMUM_OBSERVATION_SECONDS
to 1800(30 minutes) which is standard TWAP window period usually considered in DeFi. A higher TWAP period may also be considered.