Platform: Code4rena
Start Date: 25/08/2022
Pot Size: $75,000 USDC
Total HM: 35
Participants: 147
Period: 7 days
Judge: 0xean
Total Solo HM: 15
Id: 156
League: ETH
Rank: 117/147
Findings: 1
Award: $54.31
π Selected for report: 0
π Solo Findings: 0
π Selected for report: zzzitron
Also found by: 0x040, 0x1f8b, 0x52, 0x85102, 0xDjango, 0xNazgul, 0xNineDec, 0xSky, 0xSmartContract, 0xkatana, 8olidity, Aymen0909, Bahurum, BipinSah, Bnke0x0, CRYP70, CertoraInc, Ch_301, Chandr, Chom, CodingNameKiki, Deivitto, DimSon, Diraco, ElKu, EthLedger, Funen, GalloDaSballo, Guardian, IllIllI, JansenC, Jeiwan, Lambda, LeoS, Margaret, MasterCookie, PPrieditis, PaludoX0, Picodes, PwnPatrol, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, StevenL, The_GUILD, TomJ, Tomo, Trust, Waze, __141345__, ajtra, ak1, apostle0x01, aviggiano, bin2chen, bobirichman, brgltd, c3phas, cRat1st0s, carlitox477, cccz, ch13fd357r0y3r, cloudjunky, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, devtooligan, dipp, djxploit, durianSausage, eierina, enckrish, erictee, fatherOfBlocks, gogo, grGred, hansfriese, hyh, ignacio, indijanc, itsmeSTYJ, ladboy233, lukris02, martin, medikko, mics, natzuu, ne0n, nxrblsrpr, okkothejawa, oyc_109, p_crypt0, pfapostol, prasantgupta52, rajatbeladiya, rbserver, reassor, ret2basic, robee, rokinot, rvierdiiev, shenwilly, sikorico, sorrynotsorry, tnevler, tonisives, w0Lfrum, yixxas
54.3128 DAI - $54.31
The PRICE module's initialize function checks the lastObservationTime_ for dates in the future, but does not check if the last observation time is too old to be used as it does instead in the getCurrentPrice's for the price stream. The Deployer.sol script mentions "Actual market data will be used to initialize in production" therefore we can assume the same logic should apply.
Initializing with old data would result in an invalid moving average output.
// Check that the number of start observations matches the number expected if (startObservations_.length != numObs || lastObservationTime_ > uint48(block.timestamp)) revert Price_InvalidParams();
none
// Check that the number of start observations matches the number expected // Use a multiple of observation frequency to determine what is too old to use if (startObservations_.length != numObs || lastObservationTime_ > uint48(block.timestamp)) || lastObservationTime_ < uint48(block.timestamp - 1 * uint256(observationFrequency)) revert Price_InvalidParams();
#0 - Oighty
2022-09-07T20:25:58Z
While this is true, the same could be said for providing old data points and falsifying a last observation time. The primary purpose of last observation time is to provide an idea of when the moving average was last updated when it's running perpetually. Here we just provide an initialized value. The impact of this being wrong is really just incorrect data shown for a brief period of time until the price is updated for the first time.
#1 - 0xean
2022-09-19T23:56:01Z
downgrading to QA