Users can call executeOrder() function without paying the Pyth network fee
Summary
there is no check in the updatePythPrice() function that ensures the user msg.value is enough to pay the Phyth network fee.
Vulnerability Detail
someone calls executeOrder() function with zero msg.value, updatePythPrice() modifier calls updatePythPrice() function with msg.value (which is zero), updatePythPrice() function gets fee amount and pays the Pyth network fee and finally checks msg.value for refund. but we can see there is no check for msg.value that not less than fee amount. As a result OracleModule.sol contract pays fee instead of the caller.
Impact
OracleModule.sol pays Pyth network fee instead of caller.
Attacker can call the updatePythPrice() consecutively with zero msg.value and drain all ethers of the contract (lead to broke oracle and DOS the protocol).
Code Snippet
function updatePythPrice(address sender, bytes[] calldata priceUpdateData) external payable nonReentrant {
// Get fee amount to pay to Pyth
uint256 fee = offchainOracle.oracleContract.getUpdateFee(priceUpdateData);
// Update the price data (and pay the fee)
offchainOracle.oracleContract.updatePriceFeeds{value: fee}(priceUpdateData);
if (msg.value - fee > 0) {
// Need to refund caller. Try to return unused value, or revert if failed
(bool success, ) = sender.call{value: msg.value - fee}("");
if (success == false) revert FlatcoinErrors.RefundFailed();
}
}
https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/DelayedOrder.sol#L378-L410
https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/abstracts/OracleModifiers.sol#L12-L22
https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/OracleModule.sol#L64-L76
## Tool used
Manual Review
## Recommendation
Consider checking msg.value>=fee. very simple.
Avci
high
Users can call executeOrder() function without paying the Pyth network fee
Summary
there is no check in the updatePythPrice() function that ensures the user msg.value is enough to pay the Phyth network fee.
Vulnerability Detail
someone calls executeOrder() function with zero msg.value, updatePythPrice() modifier calls updatePythPrice() function with msg.value (which is zero), updatePythPrice() function gets fee amount and pays the Pyth network fee and finally checks msg.value for refund. but we can see there is no check for msg.value that not less than fee amount. As a result OracleModule.sol contract pays fee instead of the caller.
Impact
Attacker can call the updatePythPrice() consecutively with zero msg.value and drain all ethers of the contract (lead to broke oracle and DOS the protocol).
Code Snippet