search

sherlock-audit / 2024-06-leveraged-vaults-judging

9 stars 8 forks source link

4b - `PendlePTOracle::twapDuration` should not be immutable #106

Closed sherlock-admin4 closed 2 months ago

sherlock-admin4 commented 2 months ago

4b

Medium

PendlePTOracle::twapDuration should not be immutable

Summary

twapDuration is set to an immutable variable, this is not advisable as it poses a great risk after deployment

Vulnerability Detail

The twapDuration determines the update period for which TWAP oracles will allow a new price to be fetched,

uint32 public immutable twapDuration;

as we can see variable is set to immutable

the owner of the contract or admin should be allowed to dynamically set it based on market conditions, the inability to set it after deployment will pose a great risk if the market takes a different turn.

more on this bug here

Impact

Inability to dynamically set it after deployment as a result makes as stuck on one twapDuration

Code Snippet

contract PendlePTOracle is AggregatorV2V3Interface {
    using TypeConvert for uint256;

    address public immutable pendleMarket;
    // @audit should be changeable not immutable 
    uint32 public immutable twapDuration;
    bool public immutable useSyOracleRate;

Tool used

Manual Review

Recommendation

The variable should be dynamic and be able to be set by the protocol owners or admin to meet current market conditions

sherlock-admin3 commented 2 months ago

1 comment(s) were left on this issue during the judging contest.

0xmystery commented:

Low/QA at most on an intended design