I agree with you that TWAP can prevent price attacks, I think it is possible that the authors did not mention this due to the ‘easy’ manipulation of TWAP. Also, I think another thing to point out is that the researchers are focused on attacks that arise from the smart contract logic and not the code. Logic vulnerabilities are seemingly not as commonly researched as the code vulnerabilities and have higher chances of passing DeFi audits based on existing tools that tackle code-based attacks like re-entrancy and integer overflow. It seems TWAP may be unable to prevent attacks arising from the smart contract logic.
To contextualise this, take the Harvest case, for instance, the arbitrage opportunity used by the hacker was not based on the code or detected in the security audit, rather, it was based on the protocol infrastructure. So, it seems there is still more research to be done on tools that can detect and prevent attacks that are based on the smart contract logic as opposed to the code.
Also, Promutator is a great tool that examines price oracle susceptibility (but based on the code vulnerabilities in the smart contract).
Here are some papers that I found helpful when writing this summary:
A Survey of DeFi Security: Challenges and Opportunities
DeFi Security Audit: How to Prevent your Defi Project from Hacking? - this one examines the code and logic vulnerabilities in the smart contracts of DeFi apps.
I just read this paper but it explains how TWAP can be manipulated and the cost.
P.S: Super excited to host your first comment haha