0xLogos - OracleModule verifies even invalid Pyth network price against Chainlink price

[sherlock-admin]

0xLogos

medium

OracleModule verifies even invalid Pyth network price against Chainlink price

Summary

Pyth and chainlink price difference checked even if pyth price is invalid or not used

Vulnerability Detail

In _getOffchainPrice function zero price or price with low confidence returned along with invalid flag = true if some error occured quering pyth price. But in _getPrice pyth price checked against chainlink price regardless of the flag and reverting if check fails. Basicly it checks invalid price agains chainlink price and most likely fail.

This is not immediately obvious why pyth price can fail (although it can be updated by anyone), nevetheless I believe this is deserve medium severity because this issue can be considered as not checking chainlink staleness threshold and similar issues.

Impact

If Pyth price is invalid oracle most likely fail to fallback to chainlink price DOSing critical protocol functionality

Code Snippet

Price difference check https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/OracleModule.sol#L111-L113

Pyth oracle can fail https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/OracleModule.sol#L167-L186

Tool used

Manual Review

Recommendation

Check price difference only if pyth price is valid OR only if pyth price actually used

Duplicate of #177

[sherlock-admin]

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

[sherlock-admin]

The protocol team fixed this issue in PR/commit https://github.com/dhedge/flatcoin-v1/pull/270.