Skip to content

Latest commit

 

History

History
53 lines (33 loc) · 1.46 KB

012.md

File metadata and controls

53 lines (33 loc) · 1.46 KB

Smooth Ultraviolet Turkey

High

Pyth oracle integration doesn't check confidence interval while fetching price feed

Summary

As per Pyth docs https://docs.pyth.network/price-feeds/best-practices#confidence-intervals, It is important to check the confidence interval in the price feed. If it breaches the certain level then the execution shouldn't proceed. This means there is a major difference in prices from different price sources.

Root Cause

https://github.com/sherlock-audit/2024-11-oku/blob/main/oku-custom-order-types/contracts/oracle/External/PythOracle.sol#L27

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

No response

PoC

No response

Mitigation

    function currentValue() external view override returns (uint256) {
        IPyth.Price memory price = pythOracle.getPriceUnsafe(tokenId);
+       if (price.conf > 0 && (price.price / int64(price.conf) < minConfidenceRatio)) {
+           revert LowConfidencePyth(price.price, price.conf);
+       }
        require(
            price.publishTime < block.timestamp - noOlderThan,
            "Stale Price"
        );
        return uint256(uint64(price.price));
    }

The minConfidenceRatio value could be an additional parameter for Pyth nodes, a global configuration or a constant in the contract.

Note that a confidence interval of 0 means no spread in price, so should be considered as a valid price.