Fallback oracle is not used if the wo_price is not feasible and is not in bounds

Summary

Currently the price_out is set to the wo_price only if it's feasible and within the bounds. However, if it's not, price_out is mistakenly set to 0 instead of using the clo_price.

Vulnerability Detail

In the current implementation, we set price_out in the following way:

https://github.com/sherlock-audit/2024-08-woofi-solana-deployment/blob/main/WOOFi_Solana/programs/woofi/src/instructions/get_price.rs#L84-90

 if wo_feasible && wo_price_in_bound {
        price_out = wo_price;
        feasible_out = true;
    } else {
        price_out = 0;
        feasible_out = false;
    }

So if the wo_feasible and wo_price_in_bound are set to false, price_out is set to 0 and feasible_out is automatically set to false which is not an expected behavior as it has to be set to the clo_price instead as Pyth network is the fallback oracle:

https://github.com/woonetwork/woofi_swap_smart_contracts/blob/main/contracts/WooracleV2.sol#L205-211

 if (checkWoFeasible && checkWoBound) {
            priceOut = woPrice;
            priceTimestamp = woPriceTimestamp;
        } else {
            priceOut = cloPrice;
            priceTimestamp = cloPriceTimestamp;
        }

The above implementation is from the EVM version of the contract. However, it uses Chainlink instead of Pyth network but the logic is the same.

Impact

The price is incorrectly set to 0 instead of the price from the fallback oracle if the wooracle is not feasible.

Code Snippet

Provided above.

Tool used

Manual Review

Recommendation

Set price_out to the clo_price in the else-statement. Moreover, it should be checked whether the price_out != 0 and if not, set feasible_out to true. Otherwise, set to false.

sherlock-audit / 2024-08-woofi-solana-deployment-judging

0xeix - Fallback oracle is not used if the wo_price is not feasible and is not in bounds #9