get_price.rs - Missing Ownership Validation on Oracle Accounts
Summary
The contract does not verify that the price_update and quote_price_update accounts used to fetch oracle price data are owned by the Pyth oracle program.
This creates a vulnerability where an attacker could provide impersonator accounts that mimic the structure of legitimate oracle accounts but deliver manipulated price data.
Vulnerability Detail
The contract interacts with the following accounts for price updates but lacks ownership checks:
To mitigate this issue, implement ownership validation on the price_update and quote_price_update accounts to ensure they belong to the Pyth oracle program. In Anchor, this can be done by adding an owner check in the account definition.
Like this:
#[account(
owner = pyth_solana_receiver_sdk::ID // Replace with the actual Pyth program ID
)]
pub price_update: Account<'info, PriceUpdateV2>,
#[account(
owner = pyth_solana_receiver_sdk::ID // Replace with the actual Pyth program ID
)]
pub quote_price_update: Account<'info, PriceUpdateV2>,
This ensures that both the price_update and quote_price_update accounts are owned by the Pyth oracle program, preventing the use of manipulated accounts.
Fast Sand Millipede
High
get_price.rs - Missing Ownership Validation on Oracle Accounts
Summary
The contract does not verify that the
price_update
andquote_price_update
accounts used to fetch oracle price data are owned by the Pyth oracle program.This creates a vulnerability where an attacker could provide impersonator accounts that mimic the structure of legitimate oracle accounts but deliver manipulated price data.
Vulnerability Detail
The contract interacts with the following accounts for price updates but lacks ownership checks:
Impact
Data Manipulation: Attackers could create fake
price_update
andquote_price_update
accounts and inject manipulated price data into the contract.This can lead to:
Code Snippet
https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/get_price.rs#L19-L20
Tool used
Manual Review
Recommendation
To mitigate this issue, implement ownership validation on the price_update and quote_price_update accounts to ensure they belong to the Pyth oracle program. In Anchor, this can be done by adding an owner check in the account definition.
Like this:
This ensures that both the
price_update
andquote_price_update
accounts are owned by the Pyth oracle program, preventing the use of manipulated accounts.