TWAP price manipulation

Summary

The observe() call in BalancerOracleAdapter.sol:107 is vulnerable to TWAP price manipulation. Due to:

The pools obseravation cardinality not being checked
Whether the requested time window secondAgo is available

If the pool cardinality is 1, it'll only store the most recent observation and will fall back to using current price instead of historical data making TWAP meaningless as it's just current price. This makes the price easier to manipulate

Root Cause

No response

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

No response

Impact

This vulnerability can lead to inaccurate price calculations, potentially resulting in loss of funds

PoC

No response

Mitigation

Revert if oldestObservation < secondsAgo to ensure the full intended TWAP period is used.
Check the cardinality of the pool and set it to a reasonable number, so a number of observations would be used to calculate the TWAP

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

053.md

053.md

TWAP price manipulation

Summary

Root Cause

Internal Pre-conditions

External Pre-conditions

Attack Path

Impact

PoC

Mitigation

Files

053.md

Latest commit

History

053.md

File metadata and controls

TWAP price manipulation

Summary

Root Cause

Internal Pre-conditions

External Pre-conditions

Attack Path

Impact

PoC

Mitigation