042.md

Beautiful Tangerine Panther

High

Incorrect stale price validation will enable the use of outdated prices impacting financial computations

Summary

The incorrect condition in PythOracle.currentValue() will cause inaccurate computations for users as outdated price data could be retrieved and used in financial operations.

Root Cause

In PythOracle.sol:29, the condition price.publishTime < block.timestamp - noOlderThan incorrectly validates stale price data, accepting outdated prices.

Internal Pre-conditions

N/A

External Pre-conditions

N/A

Attack Path

1. A malicious or outdated oracle returns a stale price.
2. The currentValue() function in PythOracle accepts the stale price due to incorrect validation logic.
3. Dependent contracts such as AutomationMaster use the outdated price for financial calculations, leading to inaccurate exchange rates or validations.

Impact

The affected users or contracts relying on AutomationMaster for exchange rates and validations suffer from incorrect computations, potentially leading to financial loss or failed transactions. The attacker does not directly gain, but the issue could cause systemic financial inaccuracies or exploitation scenarios.

Mitigation

Update the condition in PythOracle.sol:29 to ensure the timestamp is validated correctly:

Include the following corrected line:

require(price.publishTime >= block.timestamp - noOlderThan, "Stale Price");

Exclude the original incorrect line:

require(price.publishTime < block.timestamp - noOlderThan, "Stale Price");

This change ensures only recent price data is accepted for financial computations.