Platform: Code4rena
Start Date: 01/04/2024
Pot Size: $120,000 USDC
Total HM: 11
Participants: 55
Period: 21 days
Judge: Picodes
Total Solo HM: 6
Id: 354
League: ETH
Rank: 24/55
Findings: 1
Award: $212.89
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: DadeKuma
Also found by: 0xStalin, 0xhacksmithh, 99Crits, Aymen0909, Bauchibred, CodeWasp, Dup1337, IllIllI, John_Femi, K42, KupiaSec, Naresh, Rhaydden, Rolezn, Sathish9098, Topmark, ZanyBonzy, albahaca, bareli, blockchainbuttonmasher, cheatc0d3, codeslide, crc32, d3e4, favelanky, grearlake, hihen, jasonxiale, jesjupyter, lanrebayode77, lirezArAzAvi, lsaudit, mining_mario, oualidpro, pfapostol, radin100, rbserver, sammy, satoshispeedrunner, slvDev, twcctop, zabihullahazadzoi
212.8863 USDC - $212.89
https://github.com/code-423n4/2024-04-panoptic/blob/main/contracts/libraries/PanopticMath.sol#L266
Detailed description of the impact of this finding.
as we are taking median of twapMeasurement array ,which has a size of 20 as indices go from (0 to 19). so the 10 element is array index 9 not 10.
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. function twapFilter(IUniswapV3Pool univ3pool, uint32 twapWindow) external view returns (int24) { uint32[] memory secondsAgos = new uint32;
int256[] memory twapMeasurement = new int256[](19); unchecked { // construct the time stots for (uint256 i = 0; i < 20; ++i) { secondsAgos[i] = uint32(((i + 1) * twapWindow) / 20); } // observe the tickCumulative at the 20 pre-defined time slots (int56[] memory tickCumulatives, ) = univ3pool.observe(secondsAgos); // compute the average tick per 30s window for (uint256 i = 0; i < 19; ++i) { twapMeasurement[i] = int24( (tickCumulatives[i] - tickCumulatives[i + 1]) / int56(uint56(twapWindow / 20)) ); } // sort the tick measurements int256[] memory sortedTicks = Math.sort(twapMeasurement); // Get the median value @>>> return int24(sortedTicks[10]); } }
return int24(sortedTicks[9]);
Context
#0 - c4-judge
2024-04-26T18:58:10Z
Picodes marked the issue as duplicate of #239
#1 - c4-judge
2024-04-26T18:59:29Z
Picodes marked the issue as not a duplicate
#2 - c4-judge
2024-04-26T18:59:34Z
Picodes marked the issue as primary issue
#3 - dyedm1
2024-04-26T21:38:12Z
Technically the median would be 9 (so comments are wrong), but there are not really any meaningful consequences from using the 10th index instead. Not sure the Med sev on this is justified.
#4 - Picodes
2024-04-29T21:47:26Z
Considering the lack of impact here, I do agree with the sponsor and think low severity is more justified under "state handling, function incorrect as to spec, issues with comments".
#5 - c4-judge
2024-04-29T21:47:34Z
Picodes changed the severity to QA (Quality Assurance)
#6 - c4-judge
2024-04-29T21:47:37Z
Picodes marked the issue as grade-a