Closed sherlock-admin2 closed 11 months ago
3 comment(s) were left on this issue during the judging contest.
panprog commented:
invalid because this is user mistake which is not a valid issue by sherlock rules, similar finding was also judged invalid in main contest
n33k commented:
invalid, user error
polarzero commented:
Invalid. Users sending ETH accidentally just because the contract allows it (even if it's through a function call) is not a valid medium/high issue.
Daniel_MetaTrust
medium
Potential Lock Ether Forever
Summary
In the
PythOracle
contract, thecommit
function is used to commit the price to a non-requested version at a cost of Ether, but lacks checking if themsg.value
equals to the expected usage.Vulnerability Detail
In the commit function of the
PythOracle
contract, , the amount of Ether used isIPythStaticFee(address(pyth)).singleUpdateFeeInWei() * idList.length
when invoking thepyth.parsePriceFeedUpdates
function from the _validateAndGetPrice function. However, there is no checking to validate if themsg.value
equals toIPythStaticFee(address(pyth)).singleUpdateFeeInWei() * idList.length
, which results in the transaction reverting if themsg.value
less than expected or the redundant Ether locked into thePythOracle
forever if themsg.value
is greater than expected since there is function to withdraw redundant Ether.The same scenario happens for the commitRequested function.
Impact
Redundant Ether locked into the
PythOracle
contract forever when themsg.value
sent to thecommit
contract is greater than expected.Code Snippet
Function
commit
calls the_validateAndGetPrice
function.Function
_validateAndGetPrice
calls theparsePriceFeedUpdates
function with a cost ofIPythStaticFee(address(pyth)).singleUpdateFeeInWei() * idList.length
Ether :Tool used
Vscode, Manual Review
Recommendation
Checking if the
msg.value
equals to theIPythStaticFee(address(pyth)).singleUpdateFeeInWei() * idList.length
or returning redundant Ether back to the caller.