Avci - Users can call executeOrder() function without paying the Pyth network fee

[sherlock-admin2]

Avci

high

Users can call executeOrder() function without paying the Pyth network fee

Summary

there is no check in the updatePythPrice() function that ensures the user msg.value is enough to pay the Phyth network fee.

Vulnerability Detail

someone calls executeOrder() function with zero msg.value, updatePythPrice() modifier calls updatePythPrice() function with msg.value (which is zero), updatePythPrice() function gets fee amount and pays the Pyth network fee and finally checks msg.value for refund. but we can see there is no check for msg.value that not less than fee amount. As a result OracleModule.sol contract pays fee instead of the caller.

Impact

• OracleModule.sol pays Pyth network fee instead of caller.

• Attacker can call the updatePythPrice() consecutively with zero msg.value and drain all ethers of the contract (lead to broke oracle and DOS the protocol).

  Code Snippet

  
  function updatePythPrice(address sender, bytes[] calldata priceUpdateData) external payable nonReentrant {
      // Get fee amount to pay to Pyth
      uint256 fee = offchainOracle.oracleContract.getUpdateFee(priceUpdateData);
  
      // Update the price data (and pay the fee)
      offchainOracle.oracleContract.updatePriceFeeds{value: fee}(priceUpdateData);
  
      if (msg.value - fee > 0) {
          // Need to refund caller. Try to return unused value, or revert if failed
          (bool success, ) = sender.call{value: msg.value - fee}("");
          if (success == false) revert FlatcoinErrors.RefundFailed();
      }
  }

https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/DelayedOrder.sol#L378-L410

https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/abstracts/OracleModifiers.sol#L12-L22

https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/OracleModule.sol#L64-L76
## Tool used

Manual Review

## Recommendation
Consider checking msg.value>=fee. very simple.

[sherlock-admin]

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

[nevillehuang]

Invalid, see out of scope updatePriceFeeds(), where fee needs to be paid, see here