Skip to content

Latest commit

 

History

History
47 lines (27 loc) · 1.88 KB

File metadata and controls

47 lines (27 loc) · 1.88 KB

Rare Fuchsia Orangutan

Medium

All oracles lack staleness checks

Summary

PythOracle contract utilizes getPriceUnsafe() method to fetch the price from Pyth. As per Pyth official docs, in contract to the contest README, this function does not guarantee getting an up to date price:

This function may return a price from arbitrarily far in the past. It is the caller's responsibility to check the returned timestamp to ensure that the update is recent enough for their use case. ^source Similarly, API3 and Band oracle prices are not verified in terms of staleness.

According to the README, no off-chain mechanism ensures that the price is recent.

Root Cause

_getLatestPrice() function does not implement any staleness checks on the returned price in all of the implemented oracles: https://github.com/sherlock-audit/2024-12-mach-finance/blob/main/contracts/src/Oracles/Pyth/PythOracle.sol#L98-L103 https://github.com/sherlock-audit/2024-12-mach-finance/blob/main/contracts/src/Oracles/Band/BandOracle.sol#L85-L87 https://github.com/sherlock-audit/2024-12-mach-finance/blob/main/contracts/src/Oracles/API3/API3Oracle.sol#L79-L86

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

No response

Impact

Prices used in PriceOracleAggregator will be stale, as the Pyth oracle is the first one in line assuming it does not return isValid = false.

This will lead to bad debt as cTokens will be incorrectly priced presenting an arbitrage opportunity.

PoC

No response

Mitigation

Follow Pyth's best practises by implementing staleness checks and/or consider utilizing getPriceNoOlderThan() function to ensure extra security. Implement similar checks for all other oracles.