Day 47 — Improper Oracle Update
In update_pool_state, the oracle::update call utilizes the updated current_tick_index after the swap, which may result in inaccurate oracle observations.
Vulnerability Pattern: Oracle Issue
Severity: Low
Ecosystem: Sui
Protocol: Bluefin Spot
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Nov 2024
Description:
pool::update_pool_state is responsible for updating the state of the liquidity pool after a swap operation occurs. In the current code, oracle::update is called after the pool’s current_tick_index and current_sqrt_price have been updated based on the swap result. This timing will result in the recording of inaccurate and misleading data in the oracle regarding the pool’s state before the swap occurred, rendering the data inconsistent.
Recommendation: Call oracle::update before updating current_tick_index.
Coding/Auditing Tip: Ensure to run oracle updates prior to updating pool data.