sherlock-admin
commented
8 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
Closed sherlock-admin closed 8 months ago
sherlock-admin
commented
8 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
nevillehuang
commented
8 months ago Invalid
The priceUpdateData is validated by Pyth contracts, and incorrect price data is not accepted by the Pyth contract. Keepers can't pass arbitrary price data. The execution price needs to be a future price from the announce time (minExecutabilityTime needs to have passed).
GoSlang
high
Pricefeed update can be bypassed
Summary
Since there are no permissioned keepers in the system it allows anyone to handle the execution of Limit order execution, Liquidations and Order execution.
Vulnerability Detail
The issue comes from the following functions
executeOrder
executeLimitOrder
liquidate
all the functions call updatePythPrice and allow the caller to specify the priceUpdateData to update, this is a problem since the keeper can execute the function with an incorrect pricefeed leading to the pyth priceFeed not being updated and allowing for using to either front running the chainlink price update or to take advantage of the pyth price being from the past by buying with a not updated price and then updating the price which could allow for a user to gain a small risk free profit.
This also allows for keepers to decide if a user should get the current price or an updated price is could depend grief the user if the not updated price is 100 and the updated price would be 105 the keeper can decide if they want to give the use a worse price or a better price.
Impact
Keepers can update the price in their own favor for gain or against other users for losses
Code Snippet
Tool used
Manual Review
Recommendation
consider changing the updatePythPrice to always update the correct price feed instead of updating what the keeper passes in.