058.md

Quiet Cerulean Anteater

Medium

Lack of Sanity Check on Price Feed IDs in Constructor

Summary

The constructor of the PythOracle contract initializes price feed mappings for underlying tokens using the provided _underlyingTokens and _priceFeedIds arrays. However, there is no sanity check to validate the provided priceFeedId values. This allows the initialization of invalid or non-existent price feed IDs, which could lead to incorrect or broken price feeds.

Root Cause

• In PythOracle.sol:25-37 https://github.com/sherlock-audit/2024-12-mach-finance/blob/main/contracts/src/Oracles/Pyth/PythOracle.sol#L25-L37 The provided _priceFeedIds[i] values are directly assigned without validating if these IDs are valid within the Pyth price feed system. Without validation, the following risks arise:

• An invalid priceFeedId can lead to inaccurate or missing price data.

• If the priceFeedId does not correspond to an actual feed in the Pyth system, downstream calls that rely on this feed will fail or provide incorrect results.

• It is inconsistent with the _setPriceFeedId and setPriceFeedId functions, which include a sanity check (pyth.getPriceUnsafe(priceFeedId)).

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

No response

Impact

1. Inaccurate Price Data: Contracts dependent on the PythOracle for accurate pricing will be exposed to risk if an invalid price feed is initialized.
2. Broken System Functionality: Downstream functions relying on valid price feeds will revert or fail if an invalid priceFeedId is used.
3. Inconsistent Logic: The constructor’s behavior is inconsistent with the _setPriceFeedId and setPriceFeedId functions, which enforce validation.

PoC

No response

Mitigation

• Introduce a sanity check for each priceFeedId during initialization
• Instead of directly assigning priceFeedIds in the constructor, reuse the _setPriceFeedId function for consistent validation logic: