3 matches found
Users can swap tokens through shift() function without _updatePumps()
Lines of code Vulnerability details Impact Any user can swap tokens just transferring tokens to the contract in a batch with calling shift function. The problem is that the shift doesn't call the updatePumps function which update oracle. This way attackers can exploit this vulnerability to...
Pump is not updated in shift function
Lines of code Vulnerability details Impact According to comments in Well contract, updatePumps function "Fetches the current token reserves of the Well and updates the Pumps. Typically called before an operation that modifies the Well's reserves." In functions like swap, add/remove liquidity...
TWAP can be easily manipulated by attacker through the sync() function, causing loss of funds
Lines of code Vulnerability details Description Please refer to the issue titled Implementation of Well shift function allows attackers to completely manipulate the oracles for relevant introduction and context. The safety of the TWAP relies on calling the observation function update with the...