Assessment reports>Beefy UniswapV3>High findings>TWAP interval too short
Category: Business Logic

TWAP interval too short

High Severity
High Impact
Low Likelihood

Description

The TWAP represents the time-weighted average price over a certain time interval. This time interval average is used when determining whether a period is calm or not. The current implementation uses a 60-second interval, which represents approximately four, almost five, blocks on the Ethereum mainnet, where the block time is 12 seconds on average.

This interval is too short, as an attacker could theoretically manipulate the price within this time frame. A longer interval would make it harder for an attacker to manipulate the price and would make the system more robust against flash-loan attacks.

Additionally, the current implementation hardcodes the interval, which makes it difficult to change in the future. Depending on the token and the market, the interval should be adjusted to a value that makes it hard for an attacker to manipulate the price within that time frame.

Impact

As the time-frame necessary for an attacker to manipulate the price is too short, the system is more prone to manipulation attacks. This could lead to a loss of funds for the users of the system.

Recommendations

We recommend increasing the base-time interval to a value that makes it hard for an attacker to manipulate the price within that time frame. Additionally, we recommend making the interval adjustable, so that it can be changed in the future if necessary.

+ function updateTwapInterval(uint32 _interval) external onlyOwner {
+     twapInterval = _interval;
+ }

function twap() public view returns (int56 twapTick) {
    uint32[] memory secondsAgo = new uint32[](2);
-   secondsAgo[0] = 60;
+   secondsAgo[0] = twapInterval;
    secondsAgo[1] = 0;

    (int56[] memory tickCuml,) = IUniswapV3Pool(pool).observe(secondsAgo);
-   twapTick = (tickCuml[1] - tickCuml[0]) / 60;
+   twapTick = (tickCuml[1] - tickCuml[0]) / twapInterval;
}

Remediation

This issue has been acknowledged by Beefy, and a fix was implemented in commit bbde6268.

Zellic © 2024Back to top ↑