Skip to content

Latest commit

 

History

History
49 lines (27 loc) · 1.42 KB

File metadata and controls

49 lines (27 loc) · 1.42 KB

Rare Fuchsia Orangutan

Medium

Lack of confidence intervals checks for Pyth price feed

Summary

Pyth price feeds specify uncertainty of the returned price. As per the official docs of Pyth Price Feeds, utilizing this confidence interval is recommended for enhanced security.

Root Cause

Confidence of Pyth price feed is ignored:

        PythStructs.Price memory pythPrice = pyth.getPriceUnsafe(priceFeedId);

        uint256 price = uint256(uint64(pythPrice.price));
        uint256 expo = uint256(uint32(-pythPrice.expo));

        return (price, expo);

https://github.com/sherlock-audit/2024-12-mach-finance/blob/main/contracts/src/Oracles/Pyth/PythOracle.sol#L98-L103

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

No response

Impact

A malicious user could exploit invalid prices for particular tokens OR an honest user could suffer due to utilizing a Pyth oracle with poor confidence suffering a loss of funds.

Even though the owner can change the order of the oracles in tokenToOracleSources when Pyth oracle returns an incorrect price, users before this change will suffer losses before that happens.

PoC

No response

Mitigation

Verify the confidence interval as advised in the [docs](https://docs.pyth.network/price-feeds/best-practices#confidence-intervals