Description

When a swap occurs, the pool calls into the oracle to post a new price for the affected pairs:

// function _sellBase( ... ) {
IWooracleV2_2(wooracle).postPrice(baseToken, uint128(newPrice));

// function _sellQuote( ... ) {
IWooracleV2_2(wooracle).postPrice(baseToken, uint128(newPrice));

// function _swapBaseToBase( ... ) {
IWooracleV2_2(wooracle).postPrice(baseToken1, uint128(newBase1Price));
IWooracleV2_2(wooracle).postPrice(baseToken2, uint128(newBase2Price));

However, the spread is not updated. This is economically unsafe, since the spread after a trade with a large price impact is assumed to be the same as the spread before the large trade.

Impact

Users who wish to do large swaps may see better execution if they break up their swap into smaller swaps. Also, large swaps can cause the pool to lose an undue amount of value to arbitrage due to an overestimation of how accurate the current recorded price is.

Recommendations

Update the spread in addition to the price when a trade succeeds. Ensure that the new spread for the pair accurately reflects the uncertainty in price that would occur on the centralized end if such a swap was executed there.

Also, consider that a large swap does not just affect the price and spread of the pairs it touches, because of the hub-and-spoke model of the pool. For instance, if a user is trying to buy a large amount of the quote token at once, the best way to execute that would be to externally swap assets until they hold a basket of base assets similar in proportion to the reserves multiplied by each base asset's coefficient and then provide those base assets to the pool. Providing any proportion of base assets other than the most optimal one leads to poorer execution and the creation of value that arbitrageurs can then claim.

Remediation

This issue has been acknowledged by WOOFI, and a fix was implemented in commit 8b086a35↗.