Rare Fuchsia Orangutan
Medium
PythOracle
contract utilizes getPriceUnsafe()
method to fetch the price from Pyth. As per Pyth official docs, in contract to the contest README, this function does not guarantee getting an up to date price:
This function may return a price from arbitrarily far in the past. It is the caller's responsibility to check the returned timestamp to ensure that the update is recent enough for their use case. ^source Similarly, API3 and Band oracle prices are not verified in terms of staleness.
According to the README, no off-chain mechanism ensures that the price is recent.
_getLatestPrice()
function does not implement any staleness checks on the returned price in all of the implemented oracles:
https://github.com/sherlock-audit/2024-12-mach-finance/blob/main/contracts/src/Oracles/Pyth/PythOracle.sol#L98-L103
https://github.com/sherlock-audit/2024-12-mach-finance/blob/main/contracts/src/Oracles/Band/BandOracle.sol#L85-L87
https://github.com/sherlock-audit/2024-12-mach-finance/blob/main/contracts/src/Oracles/API3/API3Oracle.sol#L79-L86
No response
No response
No response
Prices used in PriceOracleAggregator
will be stale, as the Pyth oracle is the first one in line assuming it does not return isValid = false
.
This will lead to bad debt as cTokens will be incorrectly priced presenting an arbitrage opportunity.
No response
Follow Pyth's best practises by implementing staleness checks and/or consider utilizing getPriceNoOlderThan()
function to ensure extra security. Implement similar checks for all other oracles.