Skip to content

Latest commit

 

History

History
36 lines (25 loc) · 1.67 KB

File metadata and controls

36 lines (25 loc) · 1.67 KB

Boxy Gingham Condor

High

Missing Staleness Check in _getLatestPrice

Summary

The _getLatestPrice function retrieves the latest price data from a price oracle (Pyth). However, the function does not validate the staleness of the retrieved price data based on its published timestamp. This missing check can lead to scenarios where outdated or stale price data is used, which may negatively impact the protocol's operations, such as incorrect price calculations or vulnerable logic dependent on price accuracy.

The issue occurs because the function calls pyth.getPriceUnsafe(priceFeedId) to fetch the price but does not compare the price's publishTime to an acceptable threshold. Without this validation, prices fetched might be significantly outdated.

function _getLatestPrice(address token) internal view returns (uint256, uint256) {
    if (priceFeedIds[token] == bytes32(0)) return (0, 0);

    bytes32 priceFeedId = priceFeedIds[token];
    PythStructs.Price memory pythPrice = pyth.getPriceUnsafe(priceFeedId);

    //@audit no staleness check with the published time

    uint256 price = uint256(uint64(pythPrice.price));
    uint256 expo = uint256(uint32(-pythPrice.expo));

    return (price, expo);
}

Mitigation

Implement a staleness check to ensure the fetched price is recent. This can be achieved by comparing the pythPrice.publishTime with the current block timestamp and enforcing a maximum staleness threshold.

    require(
        currentTime - pythPrice.publishTime <= maxStaleTime,
        "Stale price data"
    );