Boxy Gingham Condor
High
The _getLatestPrice
function retrieves the latest price data from a price oracle (Pyth). However, the function does not validate the staleness of the retrieved price data based on its published timestamp. This missing check can lead to scenarios where outdated or stale price data is used, which may negatively impact the protocol's operations, such as incorrect price calculations or vulnerable logic dependent on price accuracy.
The issue occurs because the function calls pyth.getPriceUnsafe(priceFeedId)
to fetch the price but does not compare the price's publishTime
to an acceptable threshold. Without this validation, prices fetched might be significantly outdated.
function _getLatestPrice(address token) internal view returns (uint256, uint256) {
if (priceFeedIds[token] == bytes32(0)) return (0, 0);
bytes32 priceFeedId = priceFeedIds[token];
PythStructs.Price memory pythPrice = pyth.getPriceUnsafe(priceFeedId);
//@audit no staleness check with the published time
uint256 price = uint256(uint64(pythPrice.price));
uint256 expo = uint256(uint32(-pythPrice.expo));
return (price, expo);
}
Implement a staleness check to ensure the fetched price is recent. This can be achieved by comparing the pythPrice.publishTime
with the current block timestamp and enforcing a maximum staleness threshold.
require(
currentTime - pythPrice.publishTime <= maxStaleTime,
"Stale price data"
);