Description

The following function can only be executed by the owner address.

In other words, if the private key of the owner address is leaked for some reason, such as an accident or a system compromise, it means that all price data returned by the Oracle can be manipulated.

function setPyth(address newPythAddress, bytes32 newPythID) external onlyOwner {
    pyth = IPyth(newPythAddress);
    pythID = newPythID;
}

[...]

function latestAnswer() public view override returns (int256) {
    PythStructs.Price memory price = pyth.getPriceUnsafe(pythID);
    return int256(price.price);
}

Impact

All types of dApps that obtain price data from this Oracle contract may suffer economic losses.

Recommendations

Reduce centralization risk where possible. One recommended method is to set the owner to a multi-sig wallet instead of an EOA.

Remediation

The Yei Finance team has decided to follow our recommendations.