search

code-423n4 / 2024-05-predy-findings

10 stars 9 forks source link

Pyth's `updatePriceFeeds(....)` should be called first before calling the `getPriceNoOlderThan(...)` to get accurate price. #84

Closed howlbot-integration[bot] closed 3 months ago

howlbot-integration[bot] commented 3 months ago

Lines of code

https://vscode.dev/github/code-423n4/2024-05-predy/blob/main/src/PriceFeed.sol#L45-L59

Vulnerability details

Impact

A malicious user can exploit the stale data to manipulate the system. Using outdated prices can lead to incorrect valuations, arbitrage opportunities, or financial losses.

Proof of Concept

IPyth.Price memory basePrice = IPyth(_pyth).getPriceNoOlderThan(_priceId, VALID_TIME_PERIOD);

    require(basePrice.expo == -8, "INVALID_EXP");

    require(quoteAnswer > 0 && basePrice.price > 0);

    uint256 price = uint256(int256(basePrice.price)) * Constants.Q96 / uint256(quoteAnswer);
    price = price * Constants.Q96 / _decimalsDiff;

    sqrtPrice = FixedPointMathLib.sqrt(price);
}

The updatePriceFeeds(....) argument should be added to priceFeed contract and be called before getPriceNoOlderThan(...) that needs to read the Pyth price, so as to update the contract with the latest price.

see Pyth's documentation and Following the example in: https://github.com/pyth-network/pyth-sdk-solidity/blob/main/README.md#example-usage

Tools Used

Manual Review

Recommended Mitigation Steps

consider calling updatePriceFeeds(....) so as to get an accurate price from the Pyth's network.

Assessed type

Other

c4-judge commented 2 months ago

alex-ppg marked the issue as unsatisfactory: Invalid