The rationale for using Pyth and the Fallback oracle is logical:
Sometimes Pyth is unavailable
However, once Pyth becomes unavailable, people will have the option to constantly chose between Pyth and the fallback oracle
The fallback oracle is a push type oracle, meaning that it won't always be updated
This may create opportunity for arbitrage for:
Redemptions
Increasing Debts (as other account debts will not have their prices checked for staleness)
Mitigation
Overall you should rethink the FSM around how stale vs trusted prices could be used as the current implementation opens up for a lot of arbitrage and edge cases
You should consider changing fees based on the oracle you're using
An oracle deviation threshold + time to update are inherently +EV to arbitrageurs
You should consider changing fees based on which oracle is being used, where Pyth could have a lower fee and the fallback would most likely have to charge a higher fee
Impact
The rationale for using Pyth and the Fallback oracle is logical: Sometimes Pyth is unavailable
However, once Pyth becomes unavailable, people will have the option to constantly chose between Pyth and the fallback oracle
The fallback oracle is a push type oracle, meaning that it won't always be updated
This may create opportunity for arbitrage for:
Mitigation
Overall you should rethink the FSM around how stale vs trusted prices could be used as the current implementation opens up for a lot of arbitrage and edge cases
You should consider changing fees based on the oracle you're using
An oracle deviation threshold + time to update are inherently +EV to arbitrageurs You should consider changing fees based on which oracle is being used, where Pyth could have a lower fee and the fallback would most likely have to charge a higher fee