Boost _ IDEX 34239 - [Smart Contract - Insight] Dont validate stale price in Pyth Network
Submitted on Wed Aug 07 2024 10:21:25 GMT-0400 (Atlantic Standard Time) by @Hoverfly9132 for Boost | IDEX
Report ID: #34239
Report type: Smart Contract
Report severity: Insight
Target: https://github.com/idexio/idex-contracts-ikon/blob/main/contracts/oracle-price-adapters/PythOraclePriceAdapter.sol
Impacts:
Protocol insolvency
Description
Bug Description
The PythOraclePriceAdapter#loadPriceForBaseAssetSymbol
get price by pyth oracle getPriceUnsafe
function:
function loadPriceForBaseAssetSymbol(string memory baseAssetSymbol) public view returns (uint64 price) {
PythMarket memory market = marketsByBaseAssetSymbol[baseAssetSymbol];
require(market.exists, "Unknown base asset symbol");
// @audit-issue - may get stale price
PythStructs.Price memory pythPrice = pyth.getPriceUnsafe(market.priceId);
uint64 priceInPips = _priceToPips(pythPrice.price, pythPrice.expo, market.priceMultiplier);
require(priceInPips > 0, "Unexpected zero price");
return priceInPips;
}
However, the getPriceUnsafe
function may return stale price as the official describe:
/// @notice Returns the price of a price feed without any sanity checks. /// @dev This function returns the most recent price update in this contract without any recency checks. /// This function is unsafe as the returned price update may be arbitrarily far in the past. /// /// Users of this function should check the
publishTimein the price to ensure that the returned price is /// sufficiently recent for their application. If you are considering using this function, it may be /// safer / easier to use either
getPriceor
getPriceNoOlderThan. /// @return price - please read the documentation of PythStructs.Price to understand how to use this safely.
So it may return stale price but the protocol don't validate it.
Impact
The protocol may use stale pyth price may cause users asset account error.
Recommendation
Using pyth.updatePriceFeeds
for updating prices, followed by pyth.getPrice
for retrieval. Following the example in: https://github.com/pyth-network/pyth-sdk-solidity/blob/main/README.md#example-usage
Impact: High Likelihood: Low
So i evaluate this issue is medium.
Proof of concept
PoC
The finding is easy to understand but as boost rule we need provide PoC, so we mock the loadPriceForBaseAssetSymbol
function with getPriceUnsafe
function, compare the price before and after.
contract MockPriceConsumer {
PythStructs.Price public price;
constructor() {
}
function loadPriceForBaseAssetSymbol(bytes32 priceId) public view returns (uint64 price) {
uint64 eth_usdc = 2000e6;
return eth_usdc;
}
function updatePriceFeeds(uint publishTime) public {
price = PythStructs.Price({price: 2000e6, conf: 1, expo: -8, publishTime: publishTime});
}
function getPublishTime() public view returns (uint) {
return price.publishTime;
}
}
contract PythUnsafeTest is Test {
function testUnsafePrice() public {
MockPriceConsumer mockPriceConsumer = new MockPriceConsumer();
mockPriceConsumer.updatePriceFeeds(block.timestamp);
uint pubTime1 = mockPriceConsumer.getPublishTime();
uint64 p1 = mockPriceConsumer.loadPriceForBaseAssetSymbol(0x00);
vm.warp(block.timestamp + 3600*24);
uint64 p2 = mockPriceConsumer.loadPriceForBaseAssetSymbol(0x00);
uint pubTime2 = mockPriceConsumer.getPublishTime();
assertEq(p1, p2);
assertEq(pubTime1, pubTime2);
}
}
Last updated
Was this helpful?