search

sherlock-audit / 2023-07-perennial-judging

2 stars 1 forks source link

0x73696d616f - Missing refund to the `keeper` in the `PythOracle` if they send extra native when commiting a price #165

Closed sherlock-admin2 closed 1 year ago

sherlock-admin2 commented 1 year ago

0x73696d616f

medium

Missing refund to the keeper in the PythOracle if they send extra native when commiting a price

Summary

The PythOracle calls parsePriceFeedUpdates() of the Pyth network contracts. with a fee as msg.value. The msg.value sent could be bigger than the required fee from pyth.getUpdateFee(updateDataList), which would leave the native stuck in the PythOracle.

Vulnerability Detail

The sent msg.value is not refunded if it is bigger than the pyth.getUpdateFee() call, leading to stuck native in the PythOracle contract.

Impact

Stuck native in PythOracle.

Code Snippet

Notice function _validateAndGetPrice(), which has no refund to the extra msg.value sent:

function _validateAndGetPrice(uint256 oracleVersion, bytes calldata updateData) private returns (PythStructs.Price memory price) {
    bytes[] memory updateDataList = new bytes[](1);
    updateDataList[0] = updateData;
    bytes32[] memory idList = new bytes32[](1);
    idList[0] = id;

    return pyth.parsePriceFeedUpdates{value: pyth.getUpdateFee(updateDataList)}(
        updateDataList,
        idList,
        SafeCast.toUint64(oracleVersion + MIN_VALID_TIME_AFTER_VERSION),
        SafeCast.toUint64(oracleVersion + MAX_VALID_TIME_AFTER_VERSION)
    )[0].price;
}

Tool used

Vscode, Hardhat, Manual Review

Recommendation

Return the fee from pyth.getUpdateFee() from function validateAndGetPrice() and refund the extra sent in the end of the commitRequested() and commit calls (to follow the checks-effects-interactions pattern).

Duplicate of #53

sherlock-admin commented 1 year ago

2 comment(s) were left on this issue during the judging contest.

141345 commented:

d

panprog commented:

low (invalid) because it's user error