The PriceFeed contract's reliance on the getPriceNoOlderThan function from the Pyth oracle introduces a risk where not necessarily the most current price data is used, but instead, the most recent within a permissible oldness (VALID_TIME_PERIOD). This setup could lead to significant financial impact due to potential price manipulation. An attacker could exploit this by executing transactions using stale prices, benefiting from anticipated price movements within the same block, particularly in volatile markets. This might allow entering and exiting liquidity positions at non-current prices, leading to unfair gains or losses.
No real-time price validation: The contract does not verify if the fetched price is the freshest available.
Potential manipulation scenario: An attacker could anticipate the transaction based on the stale price and execute a profitable trade before newer price data becomes available.
Tools Used
Manual
Recommended Mitigation Steps
Dynamically adjust the VALID_TIME_PERIOD based on observed market volatility. In more volatile periods, reduce the time period to ensure fresher data.
Lines of code
https://github.com/code-423n4/2024-05-predy/blob/a9246db5f874a91fb71c296aac6a66902289306a/src/PriceFeed.sol#L45
Vulnerability details
Impact
The
PriceFeed
contract's reliance on thegetPriceNoOlderThan
function from the Pyth oracle introduces a risk where not necessarily the most current price data is used, but instead, the most recent within a permissible oldness (VALID_TIME_PERIOD
). This setup could lead to significant financial impact due to potential price manipulation. An attacker could exploit this by executing transactions using stale prices, benefiting from anticipated price movements within the same block, particularly in volatile markets. This might allow entering and exiting liquidity positions at non-current prices, leading to unfair gains or losses.Proof of Concept
Demonstration of Issue:
Tools Used
Manual
Recommended Mitigation Steps
Dynamically adjust the
VALID_TIME_PERIOD
based on observed market volatility. In more volatile periods, reduce the time period to ensure fresher data.Assessed type
Oracle