Lines of code

https://github.com/code-423n4/2024-05-predy/blob/a9246db5f874a91fb71c296aac6a66902289306a/src/PriceFeed.sol#L45

Vulnerability details

Impact

The PriceFeed contract's reliance on the getPriceNoOlderThan function from the Pyth oracle introduces a risk where not necessarily the most current price data is used, but instead, the most recent within a permissible oldness (VALID_TIME_PERIOD). This setup could lead to significant financial impact due to potential price manipulation. An attacker could exploit this by executing transactions using stale prices, benefiting from anticipated price movements within the same block, particularly in volatile markets. This might allow entering and exiting liquidity positions at non-current prices, leading to unfair gains or losses.

Proof of Concept

function getSqrtPrice() external view returns (uint256 sqrtPrice) {
    (, int256 quoteAnswer,,,) = AggregatorV3Interface(_quotePriceFeed).latestRoundData();
    IPyth.Price memory basePrice = IPyth(_pyth).getPriceNoOlderThan(_priceId, VALID_TIME_PERIOD);
    require(basePrice.expo == -8, "INVALID_EXP");
    require(quoteAnswer > 0 && basePrice.price > 0);
    uint256 price = uint256(int256(basePrice.price)) * Constants.Q96 / uint256(quoteAnswer);
    price = price * Constants.Q96 / _decimalsDiff;
    sqrtPrice = FixedPointMathLib.sqrt(price);
}

Demonstration of Issue:

No real-time price validation: The contract does not verify if the fetched price is the freshest available.
Potential manipulation scenario: An attacker could anticipate the transaction based on the stale price and execute a profitable trade before newer price data becomes available.

Tools Used

Manual

Recommended Mitigation Steps

Dynamically adjust the VALID_TIME_PERIOD based on observed market volatility. In more volatile periods, reduce the time period to ensure fresher data.

Assessed type

Oracle

code-423n4 / 2024-05-predy-findings

Use of Potentially Stale Price Data from Pyth Oracle #265