A malicious user can exploit the stale data to manipulate the system.
Using outdated prices can lead to incorrect valuations, arbitrage opportunities, or financial losses.
The updatePriceFeeds(....) argument should be added to priceFeed contract and be called before getPriceNoOlderThan(...) that needs to read the Pyth price, so as to update the contract with the latest price.
Lines of code
https://vscode.dev/github/code-423n4/2024-05-predy/blob/main/src/PriceFeed.sol#L45-L59
Vulnerability details
Impact
A malicious user can exploit the stale data to manipulate the system. Using outdated prices can lead to incorrect valuations, arbitrage opportunities, or financial losses.
Proof of Concept
The
updatePriceFeeds(....)
argument should be added topriceFeed
contract and be called beforegetPriceNoOlderThan(...)
that needs to read the Pyth price, so as to update the contract with the latest price.see Pyth's documentation and Following the example in: https://github.com/pyth-network/pyth-sdk-solidity/blob/main/README.md#example-usage
Tools Used
Manual Review
Recommended Mitigation Steps
consider calling
updatePriceFeeds(....)
so as to get an accurate price from the Pyth's network.Assessed type
Other