Passive Indigo Dolphin - Wooracle timestamp not updated on initialization

[sherlock-admin2]

Passive Indigo Dolphin

High

Wooracle timestamp not updated on initialization

Summary

The updated_at field in wooracle account data is not updated when the wooracle account is initialized.

Root Cause

When the create_wooracle instruction is called, the updated_at field is not initialized as shown below

Internal pre-conditions

The create_wooracle instruction is called which does not initialize the updated_at field.

The get_price instruction is called and it fails to get the appropriate price due to the constraint in get_price.rs

where

let now = Clock::get()?.unix_timestamp;
let wo_timestamp = oracle.updated_at;

now <= (wo_timestamp + oracle.stale_duration)

Impact

This could lead to getting a wrong price balance(0) when trying to get the price or It could lead to DOS during swapping since swap.rs using the get_price_impl under the hood.

Mitigation

These can easily be prevented by adding ctx.accounts.wooracle.update_now()?; in create_wooracle.rs to initialize the updated_at field in wooracle at iniitialization.

[toprince]

price 0 means price is invalid. It is correct logic. Update now means price is updated. Price is not updated just after create. So current is correct logic.