toprince
commented
1 month ago Not valid. pyth price is for checking whether wooracle's price is valid. Same with https://github.com/sherlock-audit/2024-08-woofi-solana-deployment-judging/issues/9
Open sherlock-admin2 opened 1 month ago
toprince
commented
1 month ago Not valid. pyth price is for checking whether wooracle's price is valid. Same with https://github.com/sherlock-audit/2024-08-woofi-solana-deployment-judging/issues/9
dod4ufn
High
_quote_amount is always calculated with outdated price potentially leading to loss of funds
Summary
Wooracle uses prices that were calculated using the previous call of Pyth’s oracle.
Vulnerability Detail
In
swap.rswhentoken_mintis not equal toquote_token_mint, the functionget_price::get_state_implis called to fetch the price from the wooracle. Although, instead of returning the price fetched from the Pyth’s oracle, the function checks whether the fetched price is within set bounds of the price that was manually set in wooracle’s price variable.Then the price is updated using the wooracle’s price variable and their formula, resulting again in a price that is not equal to the oracle’s price.
Impact
Since the wooracle’s price doesn’t match the Pyth’s price, it will lead to a situation where either legit users are getting worse prices (loss of funds) or malicious users extracting value from the pools (arbitrage) by buying when the wooracle’s price is off the Pyth’s oracle price.
Code Snippet
[Fetching price when from.token_mint is not equal to from.quote_token_mint](https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/swap.rs#L135-L149)
[Fetching price when to.token_mint is not equal to to.quote_token_mint](https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/swap.rs#L168-L180)
[get_price::get_state_impl](https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/get_price.rs#L112) [price_out is oracle.price instead of Pyth’s price](https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/get_price.rs#L84-L90)
Tool used
Manual Review
Recommendation
Instead of checking whether the wooracle.price is within the bounds set in the wooracle, make use of the fetched price.