#35767 [SC-Critical] constanct value is used to check `price.confidence`

Submitted on Oct 7th 2024 at 09:07:06 UTC by @jasonxiale for

Report ID: #35767
Report Type: Smart Contract
Report severity: Critical
Target: https://github.com/Swaylend/swaylend-monorepo/blob/develop/contracts/market/src/main.sw
Impacts:
- Protocol insolvency

Description

Brief/Intro

In [Market.get_price_internal] (https://github.com/Swaylend/swaylend-monorepo/blob/34ada63c18efd163ef80694c404d0573d49d46b4/contracts/market/src/main.sw#L1017-L1050), while validating the Pyth's price, the function checks the `price.confidence` in .

The issue is that `get_price_internal` will be used to get price for different `price_fee_id`, but the returned price will be checked against the same constant value

Vulnerability Details

As shown in , uses constant values to check `price.confidence`

```Rust 1017 #[storage(read)] 1018 fn get_price_internal(price_feed_id: PriceFeedId) -> Price { 1019 let contract_id = storage.pyth_contract_id.read(); 1020 require( 1021 contract_id != ContractId::zero(), 1022 Error::OracleContractIdNotSet, 1023 ); 1024 ... 1045 require( 1046 u256::from(price.confidence) <= (u256::from(price.price) * ORACLE_MAX_CONF_WIDTH / ORACLE_CONF_BASIS_POINTS), 1047 Error::OraclePriceValidationError, 1048 ); <<<--- constant value is checked here 1049 1050 price 1051 } ```

Impact Details

`Market.get_price_internal` is important, because it is used while borrow/liquidate assets:

if the constant value is too wide for some price-feeds, the user/protocol might execute the tx at a bad price
if the constant value is too restrict for some price-feeds, the tx might always revert

References

Add any relevant links to documentation or code

Proof of Concept

At the moment: >BTC/USD: price $63620, confidence: +- $16

>CBBTC/USD: price $63610, confidence: +- $509

Please put the following code into a new file named `check.rs` and run: ```bash root@4d98affa1474:/in/temp# rustc check.rs ; ./check BTC check: true CBBTC check: false ```

As we can see, BTC/USD can pass the check, and CBBTC/USD can't pass the check

```Rust pub const ORACLE_MAX_CONF_WIDTH: u64 = 20; pub const ORACLE_CONF_BASIS_POINTS: u64 = 10_000; fn main() { let btc_price : u64 = 63620; let btc_confidence: u64 = 16;

let cbbtc_price     : u64 &#x3D; 63610;
let cbbtc_confidence: u64 &#x3D; 509;

println!(&quot;BTC check: {}&quot;, btc_confidence &lt;&#x3D; btc_price * ORACLE_MAX_CONF_WIDTH / ORACLE_CONF_BASIS_POINTS);
println!(&quot;CBBTC check: {}&quot;, cbbtc_confidence &lt;&#x3D; cbbtc_price * ORACLE_MAX_CONF_WIDTH / ORACLE_CONF_BASIS_POINTS);

} ```

Previous#35794 [SC-Insight] `Market.absorb` can be called when `Market.supply_collateral` is paused Next#35876 [SC-High] Users will lose funds on calls to critical functions if the prices are not updated

Was this helpful?